From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit/Auditd/Audispd documentation Date: Thu, 13 Nov 2014 10:15:51 -0500 Message-ID: <1607221.nGWIAH2cY9@x2> References: <4E8FFAAD447BD2478D75C4FAC3BD2CBF53CC98CB@M30SIEEXMX02.bank.ad.pkobp.pl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4E8FFAAD447BD2478D75C4FAC3BD2CBF53CC98CB@M30SIEEXMX02.bank.ad.pkobp.pl> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Wojtczak Arkadiusz List-Id: linux-audit@redhat.com On Thursday, November 13, 2014 02:20:02 PM Wojtczak Arkadiusz wrote: > I've been searching for Audit documentation and stumbled upon following > conversation: > http://www.redhat.com/archives/linux-audit/2006-September/msg00081.html > > Has anything changed since 2006? Yes, there is a little more documentation and sample code. > I need to write set of rules to correlate audit events from many systems. > Following information would be very useful: > > 1) Event formats - What fields will be generated for particular event > type? Doesn't exist. What I have been doing is using ausearch-test to collect events. From that you can look through them. > Which fields are common to all event types? The audit events have to meet common criteria requirements which asks for date, time, subject, object, action, outcome. Each event has that somewhere. Generally the events have auid as the subject, the object varies based on what kind of event it is, the action is generally the type of event except syscalls - which the key that may be added serves as the action, the outcome is either sucess, res, or results. > What type of data will be in those fields (binary/encoded/ASCII/UNICODE)? > What do those fields describe? I have created a mapping here: http://people.redhat.com/sgrubb/audit/audit-events.txt This document describes all known fields. > 2) For all event types - description when (in what circumstances) are > generated events of this type Doesn't exist. There are over 150 kinds of events. Some are deprecated, some are not. The best description for what they are is in the header file for the kernel and libaudit. https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/uapi/linux/audit.h?id=refs/tags/v3.18-rc4#n30 https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L40 Also, I have been writing some specifications around when and why certain events are created: http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt http://people.redhat.com/sgrubb/audit/audit-state-diagram.png I have another around logins that is in development and have another around virt/containers in works. > 3) How do DAC event types relate to AVC (which fields are common, > which are not) The AVCs are created by a whole different community for their own needs. They more or less conform to the recommended style. If you have auditing enabled, you should also get a syscall record with the AVC. But if auditing is not enabled, then you won't. For DAC events, you get a syscall record. You have to specify what events you are interested in by the rules. I'd recommend the stig.rules as the best starting point -Steve