From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Cooked audit log format
Date: Mon, 12 May 2008 10:43:17 -0400 [thread overview]
Message-ID: <200805121043.17906.sgrubb@redhat.com> (raw)
In-Reply-To: <482767E0.10506@redhat.com>
On Sunday 11 May 2008 17:40:48 Matthew Booth wrote:
> I've noticed that a number of utilities cook the logs slightly. I've
> shied away from this to date because I want to be able to leverage
> existing tools. However, if some standard emerged (or has emerged and I
> missed it) for cooked logs, I'd be extremely interested in implementing
> that.
>
> Simple starters would include:
> * Translating the architecture and syscall names into human.
libauparse, ausearch, & ausyscall can do this.
> * Jumping one way or the other with the hex strings business
not sure what you mean by this. ausearch, aureport, & libauparse can handle
them.
> * Translating socket addresses into human.
libauparse, ausearch, and aureport all do this.
> * Translating timestamps into human.
libauparse, ausearch, and aureport all do this.
> * Ditching uninteresting records, such as PATH with no name for the
> dynamic linker, and 2 PATH records when execing a script.
>
> with an ultimate goal of:
> * Defining an expected set of data for every system call and putting
> them all on a single line in a well defined format.
I have a feeling that too will become an abomination. aureport tries to get
the audit events down to the bare essentials. But what you wind up with is
something that makes you want more details. When you add more details you
feel like you want less.
> Is anybody doing any work in this direction?
Not really. Part of the problem is that I occasionally hear complaints about
the audit format, but then no one that is actually /using/ the audit output
is willing to help define what an auditor needs. I'd really like this to come
from people who do this as their job.
I can take a guess at what's needed. But I really want to hear it from the
Security Officer's perspective.
One thing that is on the TODO list is to make a output format that is like
strace for syscall records. At least people have experience reading strace
output and it might help make one class of record easier to understand. Doing
this will be a big job, so I want to get some important things like remote
logging finished before jumping into it.
-Steve
next prev parent reply other threads:[~2008-05-12 14:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-11 21:40 Cooked audit log format Matthew Booth
2008-05-12 14:43 ` Steve Grubb [this message]
2008-05-12 15:02 ` Matthew Booth
2008-05-12 15:19 ` Steve Grubb
2008-05-12 15:50 ` LC Bruzenak
2008-05-12 16:09 ` Miloslav Trmač
2008-05-12 16:34 ` Steve Grubb
2008-05-12 16:44 ` LC Bruzenak
2008-05-12 16:53 ` Matthew Booth
2008-05-12 16:12 ` John Dennis
2008-05-12 20:56 ` Eric Paris
2008-05-13 12:30 ` John Dennis
2008-05-15 10:28 ` Tony Jones
2008-05-15 12:44 ` Steve Grubb
2008-05-15 15:59 ` John Dennis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200805121043.17906.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox