From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Todd, Charles" <CTODD@ball.com>
Subject: Re: Offline audit trail analysis
Date: Tue, 11 Sep 2007 16:22:22 -0400 [thread overview]
Message-ID: <200709111622.23459.sgrubb@redhat.com> (raw)
In-Reply-To: <C482FF98AE985A47B8C982FD429C9E3401370F00@daytonmsg2k3.AERO.BALL.COM>
On Tuesday 11 September 2007 15:31:53 Todd, Charles wrote:
> Has anyone talked about sane ways to do offline analysis of Linux audit
> logs? Presumably, this would be on another Linux system, but maybe not
> the same host, and probably not on the same release or with the same
> username/IP address access. Conceptually, ausearch would save and
> optionally read a system's "configuration" to be saved for
> interpretation later.
ausearch uses getpw* and getgr* calls to resolve the uid & gid. Aside from
that, I believe it is self contained. (I haven't dug too deep in answering
this question.)
> My goal is central logging, but doing the reporting/analysis on the
> central host. That way, I can see a user across the Enterprise (or at
> least in the Linux hosts), but with all the power of ausearch for
> refining the report.
That is in the works...
> Ideally, I would do an ausearch -ts <date> -te
<date> --raw --config-to=<hostname.ausearch.config> and it would do
> things like saving the syscall lookup table,
This is actually inside libaudit for all arches.
> lookup users referenced in the reported audit trail,
uid & gid are based on the host's /etc/nsswitch.conf settings. If file, then
its the local passwd/group files. If not, you have a central uid database.
> and resolve IP addresses references in the reported audit trail.
Hmm. As long as systems don't get changed too much, this should be resolvable
from anything that has DNS access.
> Maybe one config file could be written for each data type in an existing
> format (e.g. users in /etc/passwd format, hosts in /etc/hosts format, etc.).
> I'm mainly after whether or not anyone has considered extending ausearch for
> this kind of processing?
Sort of. I am working towards central logging. Getting the new event
dispatcher completed is the first step. But I haven't looked at storing user
and gid away yet. The calls that I'm using don't really allow substituting a
new passwd or group file. So, I'd have to change all that code. But if you
have an enterprise setup, you shouldn't be deleting user IDs to keep from
having a collision down the road.
> This way, an archive of raw logs could be kept along with the exact
> system configuration which allows offloading the audit trail analysis to
> a trusted location, rather than risk side effects from a rootkit.
Yep.
-Steve
next prev parent reply other threads:[~2007-09-11 20:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-11 19:31 Offline audit trail analysis Todd, Charles
2007-09-11 20:22 ` Steve Grubb [this message]
2007-09-11 20:59 ` Wieprecht, Karen M.
2007-09-11 21:20 ` Todd, Charles
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200709111622.23459.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=CTODD@ball.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.