From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nestler, Roger - IS" Subject: creating and inserting audits Date: Tue, 7 Sep 2010 16:38:29 -0400 Message-ID: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0955428797557901944==" Return-path: Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com [10.5.110.7]) by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o87KckgM025568 for ; Tue, 7 Sep 2010 16:38:46 -0400 Received: from cip-fwa-c2.itt.com (cip-fwa-c2.itt.com [151.190.252.22]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o87KcYDD019536 for ; Tue, 7 Sep 2010 16:38:34 -0400 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============0955428797557901944== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD301AESMX091aes_" --_000_43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD301AESMX091aes_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Using syslog it seems straight forward to insert a new message , 'syslog (= LOG_NOTICE, "Hello This is just a notice")' for instance. Does this capability exist already in linux audit and I'm just not seeing i= t??? Is it a bad idea to build and then to insert a custom audit/message, or any= standard audit, into the audit.log file? If so are there any problems to look out for , e.g event id/sequence number= collisions, auparse or ausearch problems, formatting issues to adhere to??= ? Thanks ________________________________ This e-mail and any files transmitted with it may be proprietary and are in= tended solely for the use of the individual or entity to whom they are addr= essed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely = those of the author and do not necessarily represent those of ITT Corporati= on. The recipient should check this e-mail and any attachments for the pres= ence of viruses. ITT accepts no liability for any damage caused by any viru= s transmitted by this e-mail. --_000_43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD301AESMX091aes_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Using syslog it seems straight forward to insert a n= ew message , ‘syslog (LOG_NOTICE, “Hello This is just a n= otice”)’ for instance.

Does this capability exist already in linux audit an= d I’m just not seeing it???

Is it a bad idea to build and then to insert a custo= m audit/message, or any standard audit, into the audit.log file?=

If so are there any problems to look out for , e.g e= vent id/sequence number collisions, auparse or ausearch problems, formattin= g issues to adhere to???

Thanks

This e-mail and any files tr= ansmitted with it may be proprietary and are intended solely for the use of= the individual or entity to whom they are addressed. If you have received = this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely = those of the author and do not necessarily represent those of ITT Corporati= on. The recipient should check this e-mail and any attachments for the pres= ence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. --_000_43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD301AESMX091aes_-- --===============0955428797557901944== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0955428797557901944==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: creating and inserting audits Date: Tue, 7 Sep 2010 17:00:27 -0400 Message-ID: <201009071700.28002.sgrubb@redhat.com> References: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, September 07, 2010 04:38:29 pm Nestler, Roger - IS wrote: > Using syslog it seems straight forward to insert a new message , 'syslog > (LOG_NOTICE, "Hello This is just a notice")' for instance. > > Does this capability exist already in linux audit and I'm just not seeing > it??? The Linux audit system is protected by virtue of apps needing CAP_AUDIT_WRITE in order to send an event. Assuming that your app has this, you will want to use one of the functions here: https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L375 > Is it a bad idea to build and then to insert a custom audit/message, or any > standard audit, into the audit.log file? Yes. Do not do it. It has to be sent to the kernel for timestamping and correlation. Not to mention the kernel will collect a few things about the sender to be put in the audit trail. > If so are there any problems to look out for , e.g event id/sequence number > collisions, auparse or ausearch problems, formatting issues to adhere > to??? You must send to the kernel. Aside from that, events must have a type. If you do not see a type that matches what you are doing, then use the AUDIT_TRUSTED_APP type which you may do (nearly) anything to. The audit system wants name=value fields. You should use the same field name as an existing one any time you find one. If you are not using AUDIT_TRUSTED_APP, then you must fill in the same fields in the same order as the original source does. The value part may not have a space or certain control characters in it. If it does you must encode the contents of the value with the audit_encode_value() function. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: creating and inserting audits Date: Tue, 07 Sep 2010 16:02:21 -0500 Message-ID: <1283893341.4286.10.camel@lcb> References: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.9]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o87L2kO4014103 for ; Tue, 7 Sep 2010 17:02:47 -0400 Received: from mail.magitekltd.com (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o87L2XUt020982 for ; Tue, 7 Sep 2010 17:02:33 -0400 In-Reply-To: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Nestler, Roger - IS" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com T24gVHVlLCAyMDEwLTA5LTA3IGF0IDE2OjM4IC0wNDAwLCBOZXN0bGVyLCBSb2dlciAtIElTIHdy b3RlOgo+ICAKCj4gRG9lcyB0aGlzIGNhcGFiaWxpdHkgZXhpc3QgYWxyZWFkeSBpbiBsaW51eCBh dWRpdCBhbmQgSeKAmW0ganVzdCBub3QKPiBzZWVpbmcgaXQ/Pz8KPiAKCm1hbiBhdWRpdF9sb2df dXNlcl9tZXNzYWdlCiAKPiAKPiBJcyBpdCBhIGJhZCBpZGVhIHRvIGJ1aWxkIGFuZCB0aGVuIHRv IGluc2VydCBhIGN1c3RvbSBhdWRpdC9tZXNzYWdlLAo+IG9yIGFueSBzdGFuZGFyZCBhdWRpdCwg aW50byB0aGUgYXVkaXQubG9nIGZpbGU/CgpOb3BlLgoKPiBJZiBzbyBhcmUgdGhlcmUgYW55IHBy b2JsZW1zIHRvIGxvb2sgb3V0IGZvciAsIGUuZyBldmVudCBpZC9zZXF1ZW5jZQo+IG51bWJlciBj b2xsaXNpb25zLCBhdXBhcnNlIG9yIGF1c2VhcmNoIHByb2JsZW1zLCBmb3JtYXR0aW5nIGlzc3Vl cyB0bwo+IGFkaGVyZSB0bz8/Pwo+IAoKVGhlIHRleHQgaW4gdGhlIGF1ZGl0X2xvZ191c2VyX21l c3NhZ2UgaXMgbm90IHJlYWxseSBmcmVlZm9ybS1zYWZlLCBhbmQKaXQgaXMgcHJhY3RpY2FsbHkg bGltaXRlZCB0byBzb21ld2hlcmUgYXJvdW5kIDkwMCsgYnl0ZXMgKGZyb20gYSBrZXJuZWwKc2V0 dGluZywgdW5sZXNzIGl0IGhhcyBiZWVuIHVwZGF0ZWQgc2luY2UpLgoKVGhlIHBhcnNlciB3aWxs IHRocm93IGF3YXkgc29tZSBvZiB5b3VyIHJlY29yZHMgaWYgdGhlIHRleHQgbWF0Y2hlcyB3aGF0 Cml0IGlzIGxvb2tpbmcgZm9yIGVsc2V3aGVyZS4gTWF5YmUgU3RldmUgY2FuIHBvaW50IG91dCB0 aGUgc3BlY3MuIEZvcgpleGFtcGxlLCBJIGhhZCB0aGlzIG9uZToKCj4gPiAjIGF1c2VhcmNoIC10 cyB0aGlzLXdlZWsgLWEgMjI0NzYKPiA+IDxubyBtYXRjaGVzPgo+ID4KPiA+IGluIHRoZSByYXcg bG9nOgo+ID4gbm9kZT1zbGltIHR5cGU9VVNFUiBtc2c9YXVkaXQoMTI0NDczMDcyMi41MzY6MjI0 NzYpOiB1c2VyIHBpZD0xNjcwMAo+ID4gdWlkPTAgYXVpZD01MDAgc2VzPTEgc3Viaj11c2VyX3U6 dXNlcl9yOnVzZXJfdDpzMCBtc2c9J25vZGU9amltCj4gPiB0eXBlPVBBVEggbXNnPWF1ZGl0KDA2 LzA4LzIwMDkgMTM6MzM6NTAuMTAxOjE5MjY3KSA6IGl0ZW09NAo+ID4gbmFtZT0vdmFyL2xpYi9u dHAvZHJpZnQgaW5vZGU9MTE1NTgxIGRldj1mZDowMCBtb2RlPWZpbGUsNjQ0Cm91aWQ9bnRwCj4g PiBvZ2lkPW50cCByZGV2PTAwOjAwIG9iaj1zeXN0ZW1fdTpvYmplY3RfcjpudHBfZHJpZnRfdDpz MCA6Cj4gPiBleGU9Ii91c3IvbG9jYWwvc2Jpbi9hdWRpdGN0bCIgKGhvc3RuYW1lPT8sIGFkZHI9 PywgdGVybWluYWw9cHRzLzEzCj4gPiByZXM9c3VjY2VzcyknCj4gPgo+ID4gQW55IGNsdWVzPwo+ IAo+IFdoZW4gYXVzZWFyY2ggZmluZHMgYSBtYWxmb3JtZWQgcmVjb3JkLCBpdCBkaXNjYXJkcyBp dCBhcyBhIHNhZmV0eQptZWFzdXJlLgo+IAo+IC1TdGV2ZQoKTENCLgoKLS0gCkxDIChMZW5ueSkg QnJ1emVuYWsKbGVubnlAbWFnaXRla2x0ZC5jb20KCgotLQpMaW51eC1hdWRpdCBtYWlsaW5nIGxp c3QKTGludXgtYXVkaXRAcmVkaGF0LmNvbQpodHRwczovL3d3dy5yZWRoYXQuY29tL21haWxtYW4v bGlzdGluZm8vbGludXgtYXVkaXQ= From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: creating and inserting audits Date: Tue, 7 Sep 2010 17:17:23 -0400 Message-ID: <201009071717.24180.sgrubb@redhat.com> References: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> <1283893341.4286.10.camel@lcb> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1283893341.4286.10.camel@lcb> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, September 07, 2010 05:02:21 pm LC Bruzenak wrote: > > Is it a bad idea to build and then to insert a custom audit/message, > > or any standard audit, into the audit.log file? > > Nope. To make sure we don't give conflicting advice, I was thinking he meant writing directly to the file (which you should not do). Events must be sent to the kernel. But you are free to make your own audit events as long as you mimic the existing events. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nestler, Roger - IS" Subject: RE: creating and inserting audits Date: Wed, 8 Sep 2010 09:48:44 -0400 Message-ID: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DEC0@01AESMX09-1.aes.de.ittind.com> References: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> <1283893341.4286.10.camel@lcb> <201009071717.24180.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <201009071717.24180.sgrubb@redhat.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , "linux-audit@redhat.com" List-Id: linux-audit@redhat.com ClRoYW5rcywKClRoZSBiZWxvdyBzZXF1ZW5jZSBvZiBmdW5jdGlvbnMgc2VlbXMgdG8gZG8gdGhl IHRyaWNrLi4uCgppbnQgYXVkaXRfZmQgPSBhdWRpdF9vcGVuKCk7CmF1ZGl0X2xvZ191c2VyX21l c3NhZ2UoYXVkaXRfZmQsIEFVRElUX1VTRVIsICJNWSBNZXNzYWdlIiBOVUxMLCBOVUxMLCBOVUxM LCAxKTsKYXVkaXRfY2xvc2UoYXVkaXRfZmQpOwoKCkFsc28gdGhlIGV4ZWN1dGFibGUgdGhhdCBJ IGNyZWF0ZWQsIHRoZW4gY29waWVkIHRvIGEgcm9vdCBhcmVhIGFuZCB0aGVuIHJhbiBhcyByb290 LCBzZWVtZWQgdG8gaGF2ZSB0aGUgQ0FQX0FVRElUX1dSSVRFIHBlcm1pc3Npb24gYnkgZGVmYXVs dC4uLiBob3cgZGlkIG15IGFwcCBnZXQgdGhhdCBwZXJtaXNzaW9uLCBpcyBpdCBqdXN0IGJlY2F1 c2UgaXTigJlzIGEgcm9vdCBhcHAuLi4gSSBkaWRudCBleHBsaWNpdGx5IGFzc2lnbiBpdCB0byB0 aGUgYXBwLCBkaWQgST8KCkp1c3Qgb3V0IG9mIGN1cmlvc2l0eSBpZiBJIHdhbnRlZCB0byBhZGQg YSBuZXcgdHlwZSwgc2F5ICdNWV9DVVNUT01fQVVESVQnIHRoYXQgd291bGQgYXBwZWFyIGFzIHNh eSAndHlwZT1IRUxMT1dPUkxEJyBpbiB0aGUgYXVkaXQgZmlsZS4gSXMgdGhhdCBwb3NzaWJsZSB3 aXRoIGEgY29uZmlnIGZpbGUgb3IgZnVuY3Rpb24gY2FsbD8uLi4gSXQgbG9va3MgYXMgaWYgSSdk IGhhdmUgdG8gbW9kaWZ5IHN0dWZmIGluIG1heWJlIGxpYmF1ZGl0LmggYW5kIG1zZ190eXBldGFi LmgsIHJlY29tcGlsZS4uIGV0Yy4uLiBpbiBvcmRlciB0byBhZGQgYSBjdXN0b20gdHlwZT8KClRo YW5rcwpSb2dlcgoKCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tCkZyb206IFN0ZXZlIEdydWJi IFttYWlsdG86c2dydWJiQHJlZGhhdC5jb21dClNlbnQ6IFR1ZXNkYXksIFNlcHRlbWJlciAwNywg MjAxMCA1OjE3IFBNClRvOiBsaW51eC1hdWRpdEByZWRoYXQuY29tCkNjOiBMQyBCcnV6ZW5hazsg TmVzdGxlciwgUm9nZXIgLSBJUwpTdWJqZWN0OiBSZTogY3JlYXRpbmcgYW5kIGluc2VydGluZyBh dWRpdHMKCk9uIFR1ZXNkYXksIFNlcHRlbWJlciAwNywgMjAxMCAwNTowMjoyMSBwbSBMQyBCcnV6 ZW5hayB3cm90ZToKPiA+IElzIGl0IGEgYmFkIGlkZWEgdG8gYnVpbGQgYW5kIHRoZW4gdG8gaW5z ZXJ0IGEgY3VzdG9tIGF1ZGl0L21lc3NhZ2UsCj4gPiBvciBhbnkgc3RhbmRhcmQgYXVkaXQsIGlu dG8gdGhlIGF1ZGl0LmxvZyBmaWxlPwo+Cj4gTm9wZS4KClRvIG1ha2Ugc3VyZSB3ZSBkb24ndCBn aXZlIGNvbmZsaWN0aW5nIGFkdmljZSwgSSB3YXMgdGhpbmtpbmcgaGUgbWVhbnQgd3JpdGluZwpk aXJlY3RseSB0byB0aGUgZmlsZSAod2hpY2ggeW91IHNob3VsZCBub3QgZG8pLiBFdmVudHMgbXVz dCBiZSBzZW50IHRvIHRoZQprZXJuZWwuIEJ1dCB5b3UgYXJlIGZyZWUgdG8gbWFrZSB5b3VyIG93 biBhdWRpdCBldmVudHMgYXMgbG9uZyBhcyB5b3UgbWltaWMKdGhlIGV4aXN0aW5nIGV2ZW50cy4K Ci1TdGV2ZQoKVGhpcyBlLW1haWwgYW5kIGFueSBmaWxlcyB0cmFuc21pdHRlZCB3aXRoIGl0IG1h eSBiZSBwcm9wcmlldGFyeSBhbmQgYXJlIGludGVuZGVkIHNvbGVseSBmb3IgdGhlIHVzZSBvZiB0 aGUgaW5kaXZpZHVhbCBvciBlbnRpdHkgdG8gd2hvbSB0aGV5IGFyZSBhZGRyZXNzZWQuIElmIHlv dSBoYXZlIHJlY2VpdmVkIHRoaXMgZS1tYWlsIGluIGVycm9yIHBsZWFzZSBub3RpZnkgdGhlIHNl bmRlci4KUGxlYXNlIG5vdGUgdGhhdCBhbnkgdmlld3Mgb3Igb3BpbmlvbnMgcHJlc2VudGVkIGlu IHRoaXMgZS1tYWlsIGFyZSBzb2xlbHkgdGhvc2Ugb2YgdGhlIGF1dGhvciBhbmQgZG8gbm90IG5l Y2Vzc2FyaWx5IHJlcHJlc2VudCB0aG9zZSBvZiBJVFQgQ29ycG9yYXRpb24uIFRoZSByZWNpcGll bnQgc2hvdWxkIGNoZWNrIHRoaXMgZS1tYWlsIGFuZCBhbnkgYXR0YWNobWVudHMgZm9yIHRoZSBw cmVzZW5jZSBvZiB2aXJ1c2VzLiBJVFQgYWNjZXB0cyBubyBsaWFiaWxpdHkgZm9yIGFueSBkYW1h Z2UgY2F1c2VkIGJ5IGFueSB2aXJ1cyB0cmFuc21pdHRlZCBieSB0aGlzIGUtbWFpbC4KCi0tCkxp bnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEByZWRoYXQuY29tCmh0dHBzOi8vd3d3 LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9saW51eC1hdWRpdA== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: creating and inserting audits Date: Wed, 8 Sep 2010 10:25:16 -0400 Message-ID: <201009081025.17099.sgrubb@redhat.com> References: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> <201009071717.24180.sgrubb@redhat.com> <43782B27EE6B5749BBC041BF2AD5ACA429EE09DEC0@01AESMX09-1.aes.de.ittind.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DEC0@01AESMX09-1.aes.de.ittind.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Nestler, Roger - IS" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com T24gV2VkbmVzZGF5LCBTZXB0ZW1iZXIgMDgsIDIwMTAgMDk6NDg6NDQgYW0gTmVzdGxlciwgUm9n ZXIgLSBJUyB3cm90ZToKPiBUaGUgYmVsb3cgc2VxdWVuY2Ugb2YgZnVuY3Rpb25zIHNlZW1zIHRv IGRvIHRoZSB0cmljay4uLgo+IAo+IGludCBhdWRpdF9mZCA9IGF1ZGl0X29wZW4oKTsKPiBhdWRp dF9sb2dfdXNlcl9tZXNzYWdlKGF1ZGl0X2ZkLCBBVURJVF9VU0VSLCAiTVkgTWVzc2FnZSIgTlVM TCwgTlVMTCwgTlVMTCwKPiAxKTsgYXVkaXRfY2xvc2UoYXVkaXRfZmQpOwoKWWVzLiBUaGVyZSBh cmUgYSBjb3VwbGUgb3RoZXIgbG9nIGZ1bmN0aW9ucyB0aGF0IG1heSBiZSBiZXR0ZXIgc3VpdGVk IApkZXBlbmRpbmcgb24geW91ciBuZWVkcy4gSWYgeW91IHdhbnQgdGhlIHByb2dyYW0gbmFtZSB0 byBzaG93IHVwLCB1c2UgCmF1ZGl0X2xvZ191c2VyX2NvbW1fbWVzc2FnZSgpLiBBbHNvLCBwbGVh c2Ugbm90ZSB0aGlzOgoKI2RlZmluZSBBVURJVF9VU0VSICAgICAgICAxMDA1ICAgIC8qIE1lc3Nh Z2UgZnJvbSB1c2Vyc3BhY2UgLS0gZGVwcmVjYXRlZCAqLwogClRoYXQgdHlwZSBpcyBkZXByZWNh dGVkLCBwbGVhc2UgZG8gbm90IHVzZSBpdC4KCiAKPiBBbHNvIHRoZSBleGVjdXRhYmxlIHRoYXQg SSBjcmVhdGVkLCB0aGVuIGNvcGllZCB0byBhIHJvb3QgYXJlYSBhbmQgdGhlbiByYW4KPiBhcyBy b290LCBzZWVtZWQgdG8gaGF2ZSB0aGUgQ0FQX0FVRElUX1dSSVRFIHBlcm1pc3Npb24gYnkgZGVm YXVsdC4uLiBob3cKPiBkaWQgbXkgYXBwIGdldCB0aGF0IHBlcm1pc3Npb24sIGlzIGl0IGp1c3Qg YmVjYXVzZSBpdOKAmXMgYSByb290IGFwcC4uLiBJCj4gZGlkbnQgZXhwbGljaXRseSBhc3NpZ24g aXQgdG8gdGhlIGFwcCwgZGlkIEk/CgpJZiB5b3VyIGFwcCBydW5zIGFzIHJvb3QsIGl0IGluaGVy aXRzIHRoYXQgY2FwYWJpbGl0eSBieSB2aXJ0dWUgb2YgYmVpbmcgdW5kZXIgCnRoZSByb290IGFj Y291bnQuIElmIHlvdXIgYXBwIHJhbiBhcyBhIG5vcm1hbCB1c2VyLCB0aGVuIHlvdSB3b3VsZCBo YXZlIGEgCnByb2JsZW0gYmVjYXVzZSBub3JtYWwgdXNlcnMgZG8gbm90IGhhdmUgQ0FQX0FVRElU X1dSSVRFLiBZb3Ugd291bGQgZWl0aGVyIApoYXZlIHRvIG1ha2UgeW91ciBhcHAgc2V0dWlkIG9y IGEgaGVscGVyIHRoYXQgaXMgdG8gZG8gdGhlIGxvZ2dpbmcuIElmIHlvdSAKaGF2ZSBhIGhlbHBl ciwgdGhlbiB5b3UgaGF2ZSB0byB3b3JyeSBpZiBpdCBjYW4gYmUgYWJ1c2VkIHRvIGZsb29kIHRo ZSBsb2cuIElmIApkb24ndCBnbyB0aGlzIHJvdXRlLCB5b3UgaGF2ZSB0byBhc2sgaWYgYSBub3Jt YWwgdXNlciBjYW4gZG8gYW55dGhpbmcgdGhhdCBpcyAKc2VjdXJpdHkgY3JpdGljYWwgaW4gdGhl IGZpcnN0IHBsYWNlLgoKIAo+IEp1c3Qgb3V0IG9mIGN1cmlvc2l0eSBpZiBJIHdhbnRlZCB0byBh ZGQgYSBuZXcgdHlwZSwgc2F5ICdNWV9DVVNUT01fQVVESVQnCj4gdGhhdCB3b3VsZCBhcHBlYXIg YXMgc2F5ICd0eXBlPUhFTExPV09STEQnIGluIHRoZSBhdWRpdCBmaWxlLiBJcyB0aGF0Cj4gcG9z c2libGUgd2l0aCBhIGNvbmZpZyBmaWxlIG9yIGZ1bmN0aW9uIGNhbGw/Li4uCgpOby4gV2UgY3Jl YXRlIHR5cGVzIGFzIHRoZXkgYXJlIG5lZWRlZCBmb3Igb3RoZXIgcHJvamVjdHMuIFdlIGhhdmUg cGF0Y2hlZCAKZXZlcnl0aGluZyB0aGF0IG5lZWRzIGF1ZGl0aW5nIHRvIGNyZWF0ZSBhdWRpdCBl dmVudHMuIFdlIGFsc28gY3JlYXRlZCB0aGUgCmdlbmVyaWMgQVVESVRfVFJVU1RFRF9BUFAgdHlw ZSBmb3IgcHJpdmF0ZSB1c2UuIFlvdSBjYW4gZG8gYW55dGhpbmcgd2l0aCB0aGF0IAp0eXBlIHlv dSB3YW50LiBJZiB5b3UgaGF2ZSB0eXBlcyB0aGF0IHlvdSB0aGluayBvdGhlciBwcm9qZWN0cyBt aWdodCBuZWVkLCBsZXQgCm1lIGtub3cgYW5kIEknbGwgc2VlIGhvdyB3ZSBjYW4gZml0IHRoZW0g aW4uCgoKPiBJdCBsb29rcyBhcyBpZiBJJ2QgaGF2ZSB0byBtb2RpZnkgc3R1ZmYgaW4gbWF5YmUg bGliYXVkaXQuaCBhbmQKPiBtc2dfdHlwZXRhYi5oLCByZWNvbXBpbGUuLiBldGMuLi5pbiBvcmRl ciB0byBhZGQgYSBjdXN0b20gdHlwZT8KCkFuZCB1cGRhdGUgYXVyZXBvcnQvYXVzZWFyY2ggYW5k IGxpYmF1cGFyc2UgcGVyaGFwcy4KCi1TdGV2ZQoKLS0KTGludXgtYXVkaXQgbWFpbGluZyBsaXN0 CkxpbnV4LWF1ZGl0QHJlZGhhdC5jb20KaHR0cHM6Ly93d3cucmVkaGF0LmNvbS9tYWlsbWFuL2xp c3RpbmZvL2xpbnV4LWF1ZGl0 From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nestler, Roger - IS" Subject: RE: creating and inserting audits Date: Wed, 8 Sep 2010 10:56:50 -0400 Message-ID: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DFF5@01AESMX09-1.aes.de.ittind.com> References: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> <201009071717.24180.sgrubb@redhat.com> <43782B27EE6B5749BBC041BF2AD5ACA429EE09DEC0@01AESMX09-1.aes.de.ittind.com> <201009081025.17099.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <201009081025.17099.sgrubb@redhat.com> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com Ck9rIHNvdW5kcyBnb29kLi4gdGhhbmtzIGZvciBwb2ludGluZyBvdXQgdGhlIGRlcHJlY2F0ZWQg dHlwZS4uLiBJIHRoaW5rIEkgZ3JhYmJlZCB0aGF0IGZyb20gYXVkaXRjdHJsLmMgKHYxLjcuMTcu Li4pLgoKT2ssIHNvIGlmIHdlIGV2ZXIgd2FudGVkIHRvIGFkZCBzb21lIG5ldyB0eXBlcyB0aGF0 IHdvdWxkIGJlIHVuaXF1ZS9zcGVjaWZpYyB0byBvdXIgYXBwIHdlIHdvdWxkIHN1Ym1pdCBhIHJl cXVlc3QgdG8geW91L3JlZGhhdC4uLiBhbmQgdGhlbiBpbiBhIGZ1dHVyZSB2ZXJzaW9uIG9mIGF1 ZGl0IHdlJ2QgcG9zc2libGUgc2VlIG91ciBuZXcgdHlwZXM/CgpUaGFua3MgZm9yIGFsbCB0aGUg aGVscCwKClJvZ2VyCgoKLS0KCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tCkZyb206IFN0ZXZl IEdydWJiIFttYWlsdG86c2dydWJiQHJlZGhhdC5jb21dClNlbnQ6IFdlZG5lc2RheSwgU2VwdGVt YmVyIDA4LCAyMDEwIDEwOjI1IEFNClRvOiBOZXN0bGVyLCBSb2dlciAtIElTCkNjOiBsaW51eC1h dWRpdEByZWRoYXQuY29tOyBMQyBCcnV6ZW5hawpTdWJqZWN0OiBSZTogY3JlYXRpbmcgYW5kIGlu c2VydGluZyBhdWRpdHMKCk9uIFdlZG5lc2RheSwgU2VwdGVtYmVyIDA4LCAyMDEwIDA5OjQ4OjQ0 IGFtIE5lc3RsZXIsIFJvZ2VyIC0gSVMgd3JvdGU6Cj4gVGhlIGJlbG93IHNlcXVlbmNlIG9mIGZ1 bmN0aW9ucyBzZWVtcyB0byBkbyB0aGUgdHJpY2suLi4KPgo+IGludCBhdWRpdF9mZCA9IGF1ZGl0 X29wZW4oKTsKPiBhdWRpdF9sb2dfdXNlcl9tZXNzYWdlKGF1ZGl0X2ZkLCBBVURJVF9VU0VSLCAi TVkgTWVzc2FnZSIgTlVMTCwgTlVMTCwgTlVMTCwKPiAxKTsgYXVkaXRfY2xvc2UoYXVkaXRfZmQp OwoKWWVzLiBUaGVyZSBhcmUgYSBjb3VwbGUgb3RoZXIgbG9nIGZ1bmN0aW9ucyB0aGF0IG1heSBi ZSBiZXR0ZXIgc3VpdGVkCmRlcGVuZGluZyBvbiB5b3VyIG5lZWRzLiBJZiB5b3Ugd2FudCB0aGUg cHJvZ3JhbSBuYW1lIHRvIHNob3cgdXAsIHVzZQphdWRpdF9sb2dfdXNlcl9jb21tX21lc3NhZ2Uo KS4gQWxzbywgcGxlYXNlIG5vdGUgdGhpczoKCiNkZWZpbmUgQVVESVRfVVNFUiAgICAgICAgMTAw NSAgICAvKiBNZXNzYWdlIGZyb20gdXNlcnNwYWNlIC0tIGRlcHJlY2F0ZWQgKi8KClRoYXQgdHlw ZSBpcyBkZXByZWNhdGVkLCBwbGVhc2UgZG8gbm90IHVzZSBpdC4KCgo+IEFsc28gdGhlIGV4ZWN1 dGFibGUgdGhhdCBJIGNyZWF0ZWQsIHRoZW4gY29waWVkIHRvIGEgcm9vdCBhcmVhIGFuZCB0aGVu IHJhbgo+IGFzIHJvb3QsIHNlZW1lZCB0byBoYXZlIHRoZSBDQVBfQVVESVRfV1JJVEUgcGVybWlz c2lvbiBieSBkZWZhdWx0Li4uIGhvdwo+IGRpZCBteSBhcHAgZ2V0IHRoYXQgcGVybWlzc2lvbiwg aXMgaXQganVzdCBiZWNhdXNlIGl04oCZcyBhIHJvb3QgYXBwLi4uIEkKPiBkaWRudCBleHBsaWNp dGx5IGFzc2lnbiBpdCB0byB0aGUgYXBwLCBkaWQgST8KCklmIHlvdXIgYXBwIHJ1bnMgYXMgcm9v dCwgaXQgaW5oZXJpdHMgdGhhdCBjYXBhYmlsaXR5IGJ5IHZpcnR1ZSBvZiBiZWluZyB1bmRlcgp0 aGUgcm9vdCBhY2NvdW50LiBJZiB5b3VyIGFwcCByYW4gYXMgYSBub3JtYWwgdXNlciwgdGhlbiB5 b3Ugd291bGQgaGF2ZSBhCnByb2JsZW0gYmVjYXVzZSBub3JtYWwgdXNlcnMgZG8gbm90IGhhdmUg Q0FQX0FVRElUX1dSSVRFLiBZb3Ugd291bGQgZWl0aGVyCmhhdmUgdG8gbWFrZSB5b3VyIGFwcCBz ZXR1aWQgb3IgYSBoZWxwZXIgdGhhdCBpcyB0byBkbyB0aGUgbG9nZ2luZy4gSWYgeW91CmhhdmUg YSBoZWxwZXIsIHRoZW4geW91IGhhdmUgdG8gd29ycnkgaWYgaXQgY2FuIGJlIGFidXNlZCB0byBm bG9vZCB0aGUgbG9nLiBJZgpkb24ndCBnbyB0aGlzIHJvdXRlLCB5b3UgaGF2ZSB0byBhc2sgaWYg YSBub3JtYWwgdXNlciBjYW4gZG8gYW55dGhpbmcgdGhhdCBpcwpzZWN1cml0eSBjcml0aWNhbCBp biB0aGUgZmlyc3QgcGxhY2UuCgoKPiBKdXN0IG91dCBvZiBjdXJpb3NpdHkgaWYgSSB3YW50ZWQg dG8gYWRkIGEgbmV3IHR5cGUsIHNheSAnTVlfQ1VTVE9NX0FVRElUJwo+IHRoYXQgd291bGQgYXBw ZWFyIGFzIHNheSAndHlwZT1IRUxMT1dPUkxEJyBpbiB0aGUgYXVkaXQgZmlsZS4gSXMgdGhhdAo+ IHBvc3NpYmxlIHdpdGggYSBjb25maWcgZmlsZSBvciBmdW5jdGlvbiBjYWxsPy4uLgoKTm8uIFdl IGNyZWF0ZSB0eXBlcyBhcyB0aGV5IGFyZSBuZWVkZWQgZm9yIG90aGVyIHByb2plY3RzLiBXZSBo YXZlIHBhdGNoZWQKZXZlcnl0aGluZyB0aGF0IG5lZWRzIGF1ZGl0aW5nIHRvIGNyZWF0ZSBhdWRp dCBldmVudHMuIFdlIGFsc28gY3JlYXRlZCB0aGUKZ2VuZXJpYyBBVURJVF9UUlVTVEVEX0FQUCB0 eXBlIGZvciBwcml2YXRlIHVzZS4gWW91IGNhbiBkbyBhbnl0aGluZyB3aXRoIHRoYXQKdHlwZSB5 b3Ugd2FudC4gSWYgeW91IGhhdmUgdHlwZXMgdGhhdCB5b3UgdGhpbmsgb3RoZXIgcHJvamVjdHMg bWlnaHQgbmVlZCwgbGV0Cm1lIGtub3cgYW5kIEknbGwgc2VlIGhvdyB3ZSBjYW4gZml0IHRoZW0g aW4uCgoKPiBJdCBsb29rcyBhcyBpZiBJJ2QgaGF2ZSB0byBtb2RpZnkgc3R1ZmYgaW4gbWF5YmUg bGliYXVkaXQuaCBhbmQKPiBtc2dfdHlwZXRhYi5oLCByZWNvbXBpbGUuLiBldGMuLi5pbiBvcmRl ciB0byBhZGQgYSBjdXN0b20gdHlwZT8KCkFuZCB1cGRhdGUgYXVyZXBvcnQvYXVzZWFyY2ggYW5k IGxpYmF1cGFyc2UgcGVyaGFwcy4KCi1TdGV2ZQoKVGhpcyBlLW1haWwgYW5kIGFueSBmaWxlcyB0 cmFuc21pdHRlZCB3aXRoIGl0IG1heSBiZSBwcm9wcmlldGFyeSBhbmQgYXJlIGludGVuZGVkIHNv bGVseSBmb3IgdGhlIHVzZSBvZiB0aGUgaW5kaXZpZHVhbCBvciBlbnRpdHkgdG8gd2hvbSB0aGV5 IGFyZSBhZGRyZXNzZWQuIElmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgZS1tYWlsIGluIGVycm9y IHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlci4KUGxlYXNlIG5vdGUgdGhhdCBhbnkgdmlld3Mgb3Ig b3BpbmlvbnMgcHJlc2VudGVkIGluIHRoaXMgZS1tYWlsIGFyZSBzb2xlbHkgdGhvc2Ugb2YgdGhl IGF1dGhvciBhbmQgZG8gbm90IG5lY2Vzc2FyaWx5IHJlcHJlc2VudCB0aG9zZSBvZiBJVFQgQ29y cG9yYXRpb24uIFRoZSByZWNpcGllbnQgc2hvdWxkIGNoZWNrIHRoaXMgZS1tYWlsIGFuZCBhbnkg YXR0YWNobWVudHMgZm9yIHRoZSBwcmVzZW5jZSBvZiB2aXJ1c2VzLiBJVFQgYWNjZXB0cyBubyBs aWFiaWxpdHkgZm9yIGFueSBkYW1hZ2UgY2F1c2VkIGJ5IGFueSB2aXJ1cyB0cmFuc21pdHRlZCBi eSB0aGlzIGUtbWFpbC4KCi0tCkxpbnV4LWF1ZGl0IG1haWxpbmcgbGlzdApMaW51eC1hdWRpdEBy ZWRoYXQuY29tCmh0dHBzOi8vd3d3LnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9saW51eC1h dWRpdA== From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: creating and inserting audits Date: Wed, 8 Sep 2010 16:34:03 -0400 Message-ID: <201009081634.03986.sgrubb@redhat.com> References: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DBD3@01AESMX09-1.aes.de.ittind.com> <201009081025.17099.sgrubb@redhat.com> <43782B27EE6B5749BBC041BF2AD5ACA429EE09DFF5@01AESMX09-1.aes.de.ittind.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <43782B27EE6B5749BBC041BF2AD5ACA429EE09DFF5@01AESMX09-1.aes.de.ittind.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Nestler, Roger - IS" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Wednesday, September 08, 2010 10:56:50 am Nestler, Roger - IS wrote: > Ok, so if we ever wanted to add some new types that would be > unique/specific to our app we would submit a request to you/redhat... and > then in a future version of audit we'd possible see our new types? Well, if its unique to your app and you don't think anyone else will use it, then there is the TRUSTED_APP type. If you think its something that would be used in other applications, then send it to this mail list. Currently I'm adding event types for service start/stop, virtualization, and crypto. There should be a release soon to get those out where apps can use them. -Steve