From: LC Bruzenak <lenny@magitekltd.com>
To: "Nestler, Roger - IS" <Roger.Nestler@itt.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: creating and inserting audits
Date: Tue, 07 Sep 2010 16:02:21 -0500 [thread overview]
Message-ID: <1283893341.4286.10.camel@lcb> (raw)
In-Reply-To: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com>
On Tue, 2010-09-07 at 16:38 -0400, Nestler, Roger - IS wrote:
>
> Does this capability exist already in linux audit and I’m just not
> seeing it???
>
man audit_log_user_message
>
> Is it a bad idea to build and then to insert a custom audit/message,
> or any standard audit, into the audit.log file?
Nope.
> If so are there any problems to look out for , e.g event id/sequence
> number collisions, auparse or ausearch problems, formatting issues to
> adhere to???
>
The text in the audit_log_user_message is not really freeform-safe, and
it is practically limited to somewhere around 900+ bytes (from a kernel
setting, unless it has been updated since).
The parser will throw away some of your records if the text matches what
it is looking for elsewhere. Maybe Steve can point out the specs. For
example, I had this one:
> > # ausearch -ts this-week -a 22476
> > <no matches>
> >
> > in the raw log:
> > node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> > uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> > type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> > name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644
ouid=ntp
> > ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> > exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> > res=success)'
> >
> > Any clues?
>
> When ausearch finds a malformed record, it discards it as a safety
measure.
>
> -Steve
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2010-09-07 21:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-07 20:38 creating and inserting audits Nestler, Roger - IS
2010-09-07 21:00 ` Steve Grubb
2010-09-07 21:02 ` LC Bruzenak [this message]
2010-09-07 21:17 ` Steve Grubb
2010-09-08 13:48 ` Nestler, Roger - IS
2010-09-08 14:25 ` Steve Grubb
2010-09-08 14:56 ` Nestler, Roger - IS
2010-09-08 20:34 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1283893341.4286.10.camel@lcb \
--to=lenny@magitekltd.com \
--cc=Roger.Nestler@itt.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox