Format of audit logs

Format of audit logs

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 501 bytes --]

Can anybody point me to a document which describes the format of logs
generated by auditd in RHEL 4. This is for a customer, and is for human
consumption. I don't need to parse them. I know they're reasonably
self-explanatory, but it would be a significant amount of work to
document it myself.

Thanks,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Format of audit logs

[Steve Grubb]

On Tuesday 08 May 2007 14:02:06 Matthew Booth wrote:
> Can anybody point me to a document which describes the format of logs
> generated by auditd in RHEL 4.

I have not created such a document. I don't know if anyone else has either. I 
plan to start creating a bunch of documentation for the audit system this 
summer.

-Steve

Re: Format of audit logs

[Matthew Booth]

[-- Attachment #1.1: Type: text/plain, Size: 842 bytes --]

On Sun, 2007-05-13 at 12:47 -0400, Steve Grubb wrote:
> On Tuesday 08 May 2007 14:02:06 Matthew Booth wrote:
> > Can anybody point me to a document which describes the format of logs
> > generated by auditd in RHEL 4.
> 
> I have not created such a document. I don't know if anyone else has either. I 
> plan to start creating a bunch of documentation for the audit system this 
> summer.

Ok. In the mean time, can you fill me in on exactly how a PATH record is
added to an event? For example, on execve(), why would I get a PATH
record for both the binary being executed and the ld library? The latter
didn't have a name, just an inode.

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Format of audit logs

[Steve Grubb]

On Sunday 13 May 2007 14:17:54 Matthew Booth wrote:
> On Sun, 2007-05-13 at 12:47 -0400, Steve Grubb wrote:
> > On Tuesday 08 May 2007 14:02:06 Matthew Booth wrote:
> > > Can anybody point me to a document which describes the format of logs
> > > generated by auditd in RHEL 4.
> >
> > I have not created such a document. I don't know if anyone else has
> > either. I plan to start creating a bunch of documentation for the audit
> > system this summer.
>
> Ok. In the mean time, can you fill me in on exactly how a PATH record is
> added to an event?

If the syscall is of interest and a context has been created, as the syscall 
is handled it passes certain checkpoints where we gather information as an 
auxiliary record.

> For example, on execve(), why would I get a PATH record for both the binary
> being executed and the ld library? The latter didn't have a name, just an
> inode.

The code passed through one of the hooks? That was probably talked about on 
this mail list maybe 2 years ago. I seem to recall something about it.

In essence, as soon as a syscall becomes of interest, all hooks add aux 
records to describe different aspects of what happened during the syscall. If 
the ld library is in the syscall record, it was used by the kernel during the 
execve syscall.

-Steve