Re: Audit/Auditd/Audispd documentation

[Richard Guy Briggs <rgb@redhat.com>]

On 14/11/13, Wojtczak Arkadiusz wrote:
> Hi,
> I've been searching for Audit documentation and stumbled upon following conversation:
> http://www.redhat.com/archives/linux-audit/2006-September/msg00081.html
> 
> Has anything changed since 2006?

Just recently, Steve Grubb has published this document, which outlines
the desired format of audit log records with the aim of having it
included in the kernel source Documentation tree:

	http://people.redhat.com/sgrubb/audit/audit-parse.txt

The existing records do not all follow this specification.  There are
efforts to correct this, but some would break long-used parsers.

There have been several other discussions recently (last month or two)
that talk about specific and general issues.  I'll let Steve answer in a
bit more detail.

> I need to write set of rules to correlate audit events from many systems. Following information would be very useful:
> 
> 1)       Event formats  - What fields will be generated for particular event type? Which fields are common to all event types? What type of data will be in those fields (binary/encoded/ASCII/UNICODE)? What do those fields describe?
> 
> 2)       For all event types - description when (in what circumstances) are generated events of this type
> 
> 3)       How do DAC event types relate to AVC (which fields are common, which are not)
> 
> Best regards,
> Arkadiusz Wojtczak

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545