From: Steve Grubb <sgrubb@redhat.com>
To: klausk@br.ibm.com
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: Re: should I loose audit data if I only care about the record's fields?
Date: Wed, 14 Nov 2007 10:37:07 -0500 [thread overview]
Message-ID: <200711141037.08301.sgrubb@redhat.com> (raw)
In-Reply-To: <1194996645.26025.28.camel@klausk.br.ibm.com>
On Tuesday 13 November 2007 18:30:45 Klaus Heinrich Kiwi wrote:
> Example record:
> type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
> uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
> msg='op=adding user to shadow group acct=klausk
> exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1
> res=success)'
>
> using walk_test() from the test routine (python):
> ---
> op=adding (adding)
> ---
> 'op=adding' - adding what? no information about what's going on here.
This is an audit record that should probably be fixed in the application's
source code.
> _side note_: just noticed that the original record is telling 'adding
> user to shadow group' when in fact I was adding the user to the 'nobody'
> group, plus others, with 'usermod -G' - I'll check that again later.
Yeah, might be a bug. shadow-utils is horrible for auditing since it has so
many exit points that need to be audited. In my opinion, all the apps in it
need restructuring for the logging/auditing.
> Another example is the LOGIN record:
> original record:
> type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
> auid=4294967295 new auid=0
>
> ---walk_test()----
> event 1 has 1 records
> record 1 of type 1006(LOGIN) has 5 fields
> line=1 file=None
> event time: 1193547601.367:36782, host=None
> type=LOGIN (LOGIN)
> pid=11698 (11698)
> uid=0 (root)
> auid=4294967295 (unset)
> auid=0 (root)
> ---
> two auid fields? which is old and which is new? ok maybe not the
> brightest example but IMO still valid.
Yep, that is implicit in the ordering.
> Maybe auparse is aimed to just help us when we need to extract data, but
> it is well-settled that someone will need the whole record to actually
> know what's going on - please tell me if that is the case.
You can access the whole record with auparse_get_record_text().
> Thoughts?
There is also a section of code that is not written. There are plans to access
the "in-between" data as an ancillary field. I believe there are FIXME's in
the code where this should be. Unfortunately, I can't get to it for a little
while.
-Steve
prev parent reply other threads:[~2007-11-14 15:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-13 23:30 should I loose audit data if I only care about the record's fields? Klaus Heinrich Kiwi
2007-11-14 14:30 ` John Dennis
2007-11-14 15:24 ` klausk
2007-11-14 16:18 ` Steve Grubb
2007-11-14 15:37 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200711141037.08301.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=Linux-audit@redhat.com \
--cc=klausk@br.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.