From: Klaus Heinrich Kiwi <klausk@br.ibm.com>
To: "sgrubb@redhat.com" <sgrubb@redhat.com>,
"Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: should I loose audit data if I only care about the record's fields?
Date: Tue, 13 Nov 2007 18:30:45 -0500 [thread overview]
Message-ID: <1194996645.26025.28.camel@klausk.br.ibm.com> (raw)
Hi,
when I started building my dispatcher plug-in, I assumed that I'd only
need the fields values in each record to have all the data I needed. My
plug-in for remote logging aimed at consolidating the audit data in
another server, so I probably need all the audit data I can get from the
Audit subsystem, possibly in a format that is compatible with the target
system (thus using the record fields for mapping)
Giving another look the some audit records, I saw that this approach was
probably not sufficient to describe the audited operation as a whole.
Example record:
type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
msg='op=adding user to shadow group acct=klausk
exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1
res=success)'
using walk_test() from the test routine (python):
---
event 1 has 1 records
record 1 of type 1108(USER_CHAUTHTOK) has 12 fields
line=1 file=None
event time: 1194995431.57:58485, host=None
type=USER_CHAUTHTOK (USER_CHAUTHTOK)
pid=30759 (30759)
uid=0 (root)
auid=0 (root)
subj=root:system_r:unconfined_t:s0-s0:c0.c1023
(root:system_r:unconfined_t:s0-s0:c0.c1023)
op=adding (adding)
acct=klausk (klausk)
exe="/usr/sbin/usermod" (/usr/sbin/usermod)
hostname=? (?)
addr=? (?)
terminal=pts/1 (pts/1)
res=success (success)
---
'op=adding' - adding what? no information about what's going on here.
_side note_: just noticed that the original record is telling 'adding
user to shadow group' when in fact I was adding the user to the 'nobody'
group, plus others, with 'usermod -G' - I'll check that again later.
Another example is the LOGIN record:
original record:
type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
auid=4294967295 new auid=0
---walk_test()----
event 1 has 1 records
record 1 of type 1006(LOGIN) has 5 fields
line=1 file=None
event time: 1193547601.367:36782, host=None
type=LOGIN (LOGIN)
pid=11698 (11698)
uid=0 (root)
auid=4294967295 (unset)
auid=0 (root)
---
two auid fields? which is old and which is new? ok maybe not the
brightest example but IMO still valid.
There are probably more examples besides those two.
Maybe auparse is aimed to just help us when we need to extract data, but
it is well-settled that someone will need the whole record to actually
know what's going on - please tell me if that is the case.
Thoughts?
Klaus
next reply other threads:[~2007-11-13 23:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-13 23:30 Klaus Heinrich Kiwi [this message]
2007-11-14 14:30 ` should I loose audit data if I only care about the record's fields? John Dennis
2007-11-14 15:24 ` klausk
2007-11-14 16:18 ` Steve Grubb
2007-11-14 15:37 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1194996645.26025.28.camel@klausk.br.ibm.com \
--to=klausk@br.ibm.com \
--cc=Linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox