From: Steve Grubb <sgrubb@redhat.com>
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
Subject: Re: user audits
Date: Fri, 3 Dec 2010 11:25:15 -0500 [thread overview]
Message-ID: <201012031125.16062.sgrubb@redhat.com> (raw)
In-Reply-To: <1291392745.2184.38.camel@lcb>
On Friday, December 03, 2010 11:12:25 am LC Bruzenak wrote:
> On Fri, 2010-12-03 at 10:54 -0500, Steve Grubb wrote:
> > On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote:
> > > Would there be any issue with adding a couple new trusted_application
> > > event types? Would any kernel mods be needed to support this?
> >
> > Are these events originating in user space or the kernel? I might be
> > convinced to set aside the block of IDs from 2600 - 2699 for local use
> > if a suitable framework were written. This would mean that there is some
> > config file that holds the local mapping of event IDs to text and
> > ausearch/report/parse will need to be patched to understand local
> > definitions.
>
> Great!
>
>From user space only. Analogous to signal handling of SIGUSR1, SIGUSR2
> where the framework supports the user-implemented pieces.
>
> I was thinking ausearch/auparse would treat all the TRUSTED_APPs the
> same...since they (currently) fails to parse these correctly anyway
> IMHO. :)
It translates the event record type and allows searches based on the event record's
name. Aureport totals event types. Auparse also translates event type. libaudit may or
may not have validation issues - I have not looked at the code for sending events
lately.
> Everything else could treat the additional user types exactly as they do
> the TRUSTED_APP event now. When I dig through the events on the back end
> I would be able to act differently on the ones I know I've put in place
> on the originating end.
Parsing the event beyond the type, timestamp, and serial number is problematic. But
the first couple items are standard and the kernel enforces conformance. That is as far
as I was thinking to go with it.
> > Would you be interested in this approach?
>
> Absolutely!
> I will be starting work on some stuff which could utilize this after the
> holidays. If it gets into RHEL6 I would be thrilled!
Look at what I said above. I would suggest a file at /etc/audit/local.defs for a
mapping of local definitions. I would expect to be able to use:
ausearch -m local-type
aureport --summary --events -i
-Steve
prev parent reply other threads:[~2010-12-03 16:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-03 15:40 user audits LC Bruzenak
2010-12-03 15:54 ` Steve Grubb
2010-12-03 16:12 ` LC Bruzenak
2010-12-03 16:25 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201012031125.16062.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox