From: Matthew Booth <mbooth@redhat.com>
To: linux-audit@redhat.com
Subject: Cooked audit log format
Date: Sun, 11 May 2008 22:40:48 +0100 [thread overview]
Message-ID: <482767E0.10506@redhat.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1520 bytes --]
As recently mentioned, Linux audit logs[1] are fairly hideous, and
although machine readability may have been a design goal, I'd argue
they're not too friendly in that regard either. I suspect, in fact, that
the principal driver has been machine producability ;)
I've noticed that a number of utilities cook the logs slightly. I've
shied away from this to date because I want to be able to leverage
existing tools. However, if some standard emerged (or has emerged and I
missed it) for cooked logs, I'd be extremely interested in implementing
that.
Simple starters would include:
* Translating the architecture and syscall names into human.
* Jumping one way or the other with the hex strings business.
* Translating socket addresses into human.
* Translating timestamps into human.
* Ditching uninteresting records, such as PATH with no name for the
dynamic linker, and 2 PATH records when execing a script.
with an ultimate goal of:
* Defining an expected set of data for every system call and putting
them all on a single line in a well defined format.
Is anybody doing any work in this direction?
Matt
[1] Of course, they're really accounting logs produced by the accounting
daemon. If you actually audit your accounting logs, this seemingly
pedantic point can become quite confusing.
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next reply other threads:[~2008-05-11 21:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-11 21:40 Matthew Booth [this message]
2008-05-12 14:43 ` Cooked audit log format Steve Grubb
2008-05-12 15:02 ` Matthew Booth
2008-05-12 15:19 ` Steve Grubb
2008-05-12 15:50 ` LC Bruzenak
2008-05-12 16:09 ` Miloslav Trmač
2008-05-12 16:34 ` Steve Grubb
2008-05-12 16:44 ` LC Bruzenak
2008-05-12 16:53 ` Matthew Booth
2008-05-12 16:12 ` John Dennis
2008-05-12 20:56 ` Eric Paris
2008-05-13 12:30 ` John Dennis
2008-05-15 10:28 ` Tony Jones
2008-05-15 12:44 ` Steve Grubb
2008-05-15 15:59 ` John Dennis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=482767E0.10506@redhat.com \
--to=mbooth@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.