auditd 2.0.5 and 2.2 log format changes

auditd 2.0.5 and 2.2 log format changes

[Ismail Yenigul]

[-- Attachment #1.1: Type: text/plain, Size: 510 bytes --]

Hello,

I have a scipt to correlate(for user friendly report) auditd 2.2 version
logs. It works on RedHat.
We have suse 11.4 server running audit 2.0.5 version .

I could not see any major log format difference between two version.
I see that there is  nametype=NORMAL field difference at the end of each
line for version 2.2.

Is there any other log format changes between two versions?

PS: I execute /sbin/ausearch -i -if /var/log/audit/audit.log command before
to start log processing.

Thanks in advance.

[-- Attachment #1.2: Type: text/html, Size: 663 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd 2.0.5 and 2.2 log format changes

[Steve Grubb]

On Tue, 20 May 2014 18:18:14 +0300
Ismail Yenigul <ismailyenigul@gmail.com> wrote:
> I have a scipt to correlate(for user friendly report) auditd 2.2
> version logs. It works on RedHat.
> We have suse 11.4 server running audit 2.0.5 version .
> 
> I could not see any major log format difference between two version.
> I see that there is  nametype=NORMAL field difference at the end of
> each line for version 2.2.

This is not related to auditd. This is a change in the kernel. Auditd
just distributes events to disk and other applications.


> Is there any other log format changes between two versions?

There are likely differences in the kernels (and possibly user space
apps). I have no idea what they are.

-Steve

Re: auditd 2.0.5 and 2.2 log format changes

[Ismail Yenigul]

[-- Attachment #1.1: Type: text/plain, Size: 1011 bytes --]

Thanks for prompt reply.


The kernel versions are very close.

Redhat: 2.6.32-431.11.2.el6.x86_64
Suse: 2.6.37.1-1.2-desktop

Is there any change in audit.rules format?


Have a nice days.


2014-05-20 18:31 GMT+03:00 Steve Grubb <sgrubb@redhat.com>:

> On Tue, 20 May 2014 18:18:14 +0300
> Ismail Yenigul <ismailyenigul@gmail.com> wrote:
> > I have a scipt to correlate(for user friendly report) auditd 2.2
> > version logs. It works on RedHat.
> > We have suse 11.4 server running audit 2.0.5 version .
> >
> > I could not see any major log format difference between two version.
> > I see that there is  nametype=NORMAL field difference at the end of
> > each line for version 2.2.
>
> This is not related to auditd. This is a change in the kernel. Auditd
> just distributes events to disk and other applications.
>
>
> > Is there any other log format changes between two versions?
>
> There are likely differences in the kernels (and possibly user space
> apps). I have no idea what they are.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 1660 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd 2.0.5 and 2.2 log format changes

[Eric Paris]

On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote:
> Thanks for prompt reply.
> 
> 
> 
> The kernel versions are very close.

Not really.  RHEL kernels are vastly different than the old 2.6.32
kernel.  In this case, the RHEL kernel gives some very very new
information which didn't exist back in 2.6.37.  Aka the 2.6.32 rhel
kernel is 'newer' than the 2.6.37 suse kernel.  Does that make sense?

> Redhat: 2.6.32-431.11.2.el6.x86_64
> 
> Suse: 2.6.37.1-1.2-desktop

>         
>         > I have a scipt to correlate(for user friendly report) auditd
>         2.2
>         > version logs. It works on RedHat.
>         > We have suse 11.4 server running audit 2.0.5 version .
>         >
>         > I could not see any major log format difference between two
>         version.
>         > I see that there is  nametype=NORMAL field difference at the
>         end of
>         > each line for version 2.2.

This is a new key=value pair which tells your something about this
particular name record.  Imagine you called rename() and placed on file
on top of another existing file.  In old kernels you'd end up with about
4 different audit names.  Old parent dir, new parent dir, old file
moving, new file being unlink() because of the rename() on top of it.
This field is supposed to help you figure out which of these audit names
goes with which part of the syscall.  Make sense?

Re: auditd 2.0.5 and 2.2 log format changes

[Ismail Yenigul]

[-- Attachment #1.1: Type: text/plain, Size: 1928 bytes --]

Thank you for valuable details. We will see what will happen in the field

By the way,  do you have a plan to use Solaris bsm style output. All info
stored in a single line in bsm output. This is more human friendly output..
But redhat auditd create multi lines and every syscall has different number
of lines with different number of fields in every line.
Thanks
20 May 2014 20:02 tarihinde "Eric Paris" <eparis@redhat.com> yazdı:

> On Tue, 2014-05-20 at 18:35 +0300, Ismail Yenigul wrote:
> > Thanks for prompt reply.
> >
> >
> >
> > The kernel versions are very close.
>
> Not really.  RHEL kernels are vastly different than the old 2.6.32
> kernel.  In this case, the RHEL kernel gives some very very new
> information which didn't exist back in 2.6.37.  Aka the 2.6.32 rhel
> kernel is 'newer' than the 2.6.37 suse kernel.  Does that make sense?
>
> > Redhat: 2.6.32-431.11.2.el6.x86_64
> >
> > Suse: 2.6.37.1-1.2-desktop
>
> >
> >         > I have a scipt to correlate(for user friendly report) auditd
> >         2.2
> >         > version logs. It works on RedHat.
> >         > We have suse 11.4 server running audit 2.0.5 version .
> >         >
> >         > I could not see any major log format difference between two
> >         version.
> >         > I see that there is  nametype=NORMAL field difference at the
> >         end of
> >         > each line for version 2.2.
>
> This is a new key=value pair which tells your something about this
> particular name record.  Imagine you called rename() and placed on file
> on top of another existing file.  In old kernels you'd end up with about
> 4 different audit names.  Old parent dir, new parent dir, old file
> moving, new file being unlink() because of the rename() on top of it.
> This field is supposed to help you figure out which of these audit names
> goes with which part of the syscall.  Make sense?
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 2409 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd 2.0.5 and 2.2 log format changes

[Steve Grubb]

On Tue, 20 May 2014 21:23:59 +0300
Ismail Yenigul <ismailyenigul@gmail.com> wrote:
> By the way,  do you have a plan to use Solaris bsm style output. All
> info stored in a single line in bsm output.

The simple answer, no. The deisgn of the linux audit system is
different than the Solaris audit system. The multiple lines comes from
different parts of the kernel contributing what it knows about the
syscall once its been determined to be an event of interest.

> This is more human friendly output.

There are some plans to make the out easier to understand. Its just
that there are other problems that need fixing before work can start on
that.

-Steve