From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com
Subject: Re: [PATCH] auvirt: a new tool for reporting events related to virtual machines
Date: Mon, 16 Jan 2012 11:05:31 -0200 [thread overview]
Message-ID: <4F14209B.6000106@linux.vnet.ibm.com> (raw)
In-Reply-To: <201201131423.14415.sgrubb@redhat.com>
Hi,
Just some few questions:
What did yo mean by "a security report"? Just another section or a
separated mode?
Wouldn't it be a problem to put the time field in the end of the
resource records? It'd be like that:
res guest-name-2 root mem "?" "1048576" Wed Jan 11 15:23
- 15:24 (00:01)
start guest-name-2 root Wed Jan 11 15:23 - 15:24 (00:01)
Or like that:
res guest-name-2 root mem "?" "1048576" Wed Jan 11 15:23
- 15:24 (00:01)
start guest-name-2 root Wed Jan 11 15:23
- 15:24 (00:01)
Regards,
Marcelo
On 01/13/2012 05:23 PM, Steve Grubb wrote:
> Hello,
>
> On Friday, January 13, 2012 12:25:05 PM Marcelo Cerri wrote:
>> These are some output examples of auvirt. What do you think?
> I think you are on the right track.
>
>
>> I just added a "--full" option because libvirt can generate several
>> resource events and this can make the output confusing.
> Hmm. Why not call it --resource if its a resource specific report? Full to me
> implies everything for all guests.
>
>
>> $ ./auvirt
>> start guest-name-1 root Tue Jan 10 11:05
>> stop guest-name-1 root Tue Jan 10 11:39
>> start guest-name-2 root Wed Jan 11 15:23
>> start guest-name-2 root Wed Jan 11 16:28
>> start guest-name-1 root Wed Jan 12 19:47
> Why not collapse these into 1 line like last that shows a duration?
>
> start guest-name-1 root Tue Jan 10 11:05 - 11:39 (00:34)
>
> Do you have any samples for when a guest is paused and restarted? I would also
> collapse those into a line showing the duration of the pause.
>
> pause guest-name-1 root Tue Jan 10 11:15 - 11:30 (00:15)
>
>
>> $ ./auvirt --show-uuid
>> start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan
>> 10 11:05
>> stop guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan
>> 10 11:39
>> start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan
>> 11 15:23
>> start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan
>> 11 16:28
>> start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Wed Jan
>> 12 19:47
>>
>> $ ./auvirt --summary # keep the same behaviour
>>
>> $ ./auvirt --uuid fb4149f5-9ff6-4095-f6d3-a1d03936fdfa
>> start guest-name-1 root Tue Jan 10 11:05
>> stop guest-name-1 root Tue Jan 10 11:39
>> start guest-name-1 root Wed Jan 12 19:47
>>
>> $ ./auvirt --vm-name guest-name-2
>> start guest-name-2 root Wed Jan 11 15:23
>> start guest-name-2 root Wed Jan 11 16:28
> Maybe it will be easier on admin's fingers to just call the above option --vm? I
> like shorter names if they make sense and are unambiguous.
>
>
>> $ ./auvirt --full --uuid f937029b-93ca-4e13-b40b-663f46323503
>> res guest-name-2 root Wed Jan 11 15:23 disk "?"
>> "/images/guest-2.img"
>> res guest-name-2 root Wed Jan 11 15:23 vcpu "0" "4"
>> res guest-name-2 root Wed Jan 11 15:23 net "?"
>> "52:54:00:DB:AE:B4"
>> res guest-name-2 root Wed Jan 11 15:23 mem "?" "1048576"
>> start guest-name-2 root Wed Jan 11 15:23
>> avc guest-name-2 root Wed Jan 11 19:49 read
>> "/images/guest-2.img" denied
>> res guest-name-2 root Wed Jan 11 15:23 mem "1048576"
>> "2097152"
>> stop guest-name-2 root Wed Jan 11 16:28
> I would separate avcs and anomalies into a security report. Then for the
> resource section, I would rearrange the fields so the time is at the end and then
> show the duration so you collapse 2 lines (assignment and disposal) into 1 line.
>
> For things that are disposed of at shutdown, you can just put "down" like last
> does when users are logged out by the system shutdown.
>
> Overall, I think this is heading in the right direction.
>
> Thanks,
> -Steve
>
next prev parent reply other threads:[~2012-01-16 13:05 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-15 15:56 [PATCH] auvirt: a new tool for reporting events related to virtual machines Marcelo Cerri
2011-12-20 18:18 ` Steve Grubb
2012-01-05 16:44 ` Marcelo Cerri
2012-01-09 17:00 ` Marcelo Cerri
2012-01-11 21:48 ` Steve Grubb
2012-01-13 17:25 ` Marcelo Cerri
2012-01-13 19:23 ` Steve Grubb
2012-01-13 19:45 ` Marcelo Cerri
2012-01-13 20:56 ` Steve Grubb
2012-01-16 13:05 ` Marcelo Cerri [this message]
2012-01-16 15:36 ` Steve Grubb
2012-01-11 21:20 ` Steve Grubb
2012-01-24 18:08 ` Marcelo Cerri
2012-01-24 18:33 ` Marcelo Cerri
2012-01-24 20:27 ` Steve Grubb
2012-01-25 12:56 ` Marcelo Cerri
2012-01-27 16:37 ` Marcelo Cerri
2012-01-27 17:21 ` Steve Grubb
2012-01-27 17:31 ` Marcelo Cerri
-- strict thread matches above, loose matches on Subject: below --
2012-02-01 17:16 Marcelo Cerri
2012-02-03 18:52 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F14209B.6000106@linux.vnet.ibm.com \
--to=mhcerri@linux.vnet.ibm.com \
--cc=bryntcor@us.ibm.com \
--cc=gcwilson@us.ibm.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.