From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [RFC] New ausearch output option & audit viewing in Spacewalk
Date: Mon, 8 Jun 2009 13:28:40 -0400 [thread overview]
Message-ID: <200906081328.40794.sgrubb@redhat.com> (raw)
In-Reply-To: <4A2D406D.1080105@gtri.gatech.edu>
On Monday 08 June 2009 12:46:37 pm Joshua Roys wrote:
> As part of developing an audit viewing "plugin"[1] to Spacewalk[2], I
> wrote a small program to use libauparse to output (easily)
> machine-parsable audit logs. I think this functionality would be nice
> to have in ausearch, and as such, wrote a patch for it.
Very interesting work. When you apply this patch and select its output format,
what does the output look like?
> As well as reviewing this patch, I would like your feedback concerning
> the Spacewalk audit plugin. Any questions or constructive criticism is
> welcome.
I think this is a very interesting project. But, I have to admit that I don't
use ausearch as the normal presentation program when I'm researching some
audit events. For example, a typical investigation may go something like
this:
1) you run aureport to see what is going on. hmm...no avcs...but lots of
files, therefore you are getting hits on rules. wonder which ones?
2) you run the key report to see what the nature of hits is like. The access
key seems to be getting a lot of hits, wonder which files it might be?
3) you run ausearch selecting the access key and pipe that into the file
summary report. You notice one file is getting lots of hits. Wonder who is
doing it?
4) you run ausearch selecting the access key and the file name and pipe that
into the user summary report.
5) you notice its one acct and you wonder what all failures that person has
had this session so you re-run the last ausearch command with --just-one so
you can find the ses=value. Then you run ausearch --session value --success no
and send that to aureport to get an overview of the session.
...
So, I'd recommend adding aureport's main summary and the aureport key summary
reports to the output so that you can see if there is any reason to do a
deeper investigation.
Interesting work!
-Steve
next prev parent reply other threads:[~2009-06-08 17:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-08 16:46 [RFC] New ausearch output option & audit viewing in Spacewalk Joshua Roys
2009-06-08 17:12 ` John Dennis
2009-06-08 17:17 ` Joshua Roys
2009-06-08 17:28 ` Steve Grubb [this message]
2009-06-08 17:35 ` Miloslav Trmac
2009-06-08 17:43 ` John Dennis
2009-06-08 18:06 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200906081328.40794.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox