Re: [PATCH] auvirt: a new tool for reporting events related to virtual machines

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com
Subject: Re: [PATCH] auvirt: a new tool for reporting events related to virtual machines
Date: Thu, 05 Jan 2012 14:44:57 -0200	[thread overview]
Message-ID: <4F05D389.8090808@linux.vnet.ibm.com> (raw)
In-Reply-To: <201112201318.16636.sgrubb@redhat.com>

Hi Steve,

Thanks for you feedback.

I'm already updating the source code based on your comments and looking 
for another events that may be correlated to a VM.

But I'm not sure what means "anomaly events". Would it be malformed 
records (without some fields, for example) or a specific record type 
generated by the kernel or some other userspace application?

Regards,
Marcelo

On 12/20/2011 04:18 PM, Steve Grubb wrote:
> On Thursday, December 15, 2011 10:56:51 AM Marcelo Cerri wrote:
>> This patch adds a new tool to extract information related to virtual
>> machines from the audit log files. It can output a summary with
>> information about the number of events found with details by type of
>> record and operation. The tool can also output the filtered records as
>> found in the audit log.
>>
>> Using the --avc option auvirt tries to correlate AVC records to the guests
>> based on its security context. It's also possible to select records related
>> to just one guest using the UUID or the guest name.
> I'm wondering about this tool. It runs fine. But I thought you were wanting to do
> some more sophisticated analysis of events. For example this is the current
> output:
>
> $ ./auvirt --file ../../../virt-audit.log
> Total records:      6
> Virt records:       6
> Resource records:   4
> Machine ID records: 1
> AVC records:        0
> Operations:
>    Start:            1
>    Stop:             0
> Considered time:
>    Start:            Tue Dec 20 09:33:01 2011
>    End:              Tue Dec 20 09:33:01 2011
>
> This is not much different than what can be reported by ausearch/report with the
> new uuid and vm search fields. Also, testing with the uuid number doesn't seem to
> get any hits. But using the vm name does.
>
> I plan to add a very basic virt report to aureport soon. I was wondering if the
> above is all anyone really wanted to see? I would think that perhaps you want
> some info about start/stop assignment of resources, changes in resources, and
> perhaps MAC or anomaly events related to a vm. But laid out like the aulast
> program.
>
> boot  vm-name   time  (total runtime)
> resource  what-kind  old-value  new-value  time (total time assigned)
> avc   access-type  obj  results  time
> shutdown  vm-name  time
>
> and there might be other audit events associated with a vm.
>
> -Steve
>

next prev parent reply	other threads:[~2012-01-05 16:45 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-15 15:56 [PATCH] auvirt: a new tool for reporting events related to virtual machines Marcelo Cerri
2011-12-20 18:18 ` Steve Grubb
2012-01-05 16:44   ` Marcelo Cerri [this message]
2012-01-09 17:00     ` Marcelo Cerri
2012-01-11 21:48       ` Steve Grubb
2012-01-13 17:25         ` Marcelo Cerri
2012-01-13 19:23           ` Steve Grubb
2012-01-13 19:45             ` Marcelo Cerri
2012-01-13 20:56               ` Steve Grubb
2012-01-16 13:05             ` Marcelo Cerri
2012-01-16 15:36               ` Steve Grubb
2012-01-11 21:20     ` Steve Grubb
2012-01-24 18:08       ` Marcelo Cerri
2012-01-24 18:33         ` Marcelo Cerri
2012-01-24 20:27         ` Steve Grubb
2012-01-25 12:56           ` Marcelo Cerri
2012-01-27 16:37             ` Marcelo Cerri
2012-01-27 17:21               ` Steve Grubb
2012-01-27 17:31                 ` Marcelo Cerri
  -- strict thread matches above, loose matches on Subject: below --
2012-02-01 17:16 Marcelo Cerri
2012-02-03 18:52 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F05D389.8090808@linux.vnet.ibm.com \
    --to=mhcerri@linux.vnet.ibm.com \
    --cc=bryntcor@us.ibm.com \
    --cc=gcwilson@us.ibm.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.