From: Steve Grubb <sgrubb@redhat.com>
To: klausk@br.ibm.com
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: Re: should I loose audit data if I only care about the record's fields?
Date: Wed, 14 Nov 2007 10:37:07 -0500 [thread overview]
Message-ID: <200711141037.08301.sgrubb@redhat.com> (raw)
In-Reply-To: <1194996645.26025.28.camel@klausk.br.ibm.com>
On Tuesday 13 November 2007 18:30:45 Klaus Heinrich Kiwi wrote:
> Example record:
> type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
> uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
> msg='op=adding user to shadow group acct=klausk
> exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1
> res=success)'
>
> using walk_test() from the test routine (python):
> ---
> op=adding (adding)
> ---
> 'op=adding' - adding what? no information about what's going on here.
This is an audit record that should probably be fixed in the application's
source code.
> _side note_: just noticed that the original record is telling 'adding
> user to shadow group' when in fact I was adding the user to the 'nobody'
> group, plus others, with 'usermod -G' - I'll check that again later.
Yeah, might be a bug. shadow-utils is horrible for auditing since it has so
many exit points that need to be audited. In my opinion, all the apps in it
need restructuring for the logging/auditing.
> Another example is the LOGIN record:
> original record:
> type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
> auid=4294967295 new auid=0
>
> ---walk_test()----
> event 1 has 1 records
> record 1 of type 1006(LOGIN) has 5 fields
> line=1 file=None
> event time: 1193547601.367:36782, host=None
> type=LOGIN (LOGIN)
> pid=11698 (11698)
> uid=0 (root)
> auid=4294967295 (unset)
> auid=0 (root)
> ---
> two auid fields? which is old and which is new? ok maybe not the
> brightest example but IMO still valid.
Yep, that is implicit in the ordering.
> Maybe auparse is aimed to just help us when we need to extract data, but
> it is well-settled that someone will need the whole record to actually
> know what's going on - please tell me if that is the case.
You can access the whole record with auparse_get_record_text().
> Thoughts?
There is also a section of code that is not written. There are plans to access
the "in-between" data as an ancillary field. I believe there are FIXME's in
the code where this should be. Unfortunately, I can't get to it for a little
while.
-Steve
prev parent reply other threads:[~2007-11-14 15:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-13 23:30 should I loose audit data if I only care about the record's fields? Klaus Heinrich Kiwi
2007-11-14 14:30 ` John Dennis
2007-11-14 15:24 ` klausk
2007-11-14 16:18 ` Steve Grubb
2007-11-14 15:37 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200711141037.08301.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=Linux-audit@redhat.com \
--cc=klausk@br.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox