From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: New draft standards
Date: Tue, 08 Dec 2015 16:28:45 -0500
Message-ID: <3071754.rElmU3SS9m@x2>
References: <3616972.XJnAnOOqWb@x2>
	<20151208204958.GB32667@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20151208204958.GB32667@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, December 08, 2015 03:49:58 PM Richard Guy Briggs wrote:
> On 15/12/08, Steve Grubb wrote:
> > Hello,
> > 
> > I would like to point out 2 new standards that have been posted to the
> > linux audit web page. The first establishes the events around system
> > start up and shutdown. This is important because it sets the session
> > boundaries for when a system is up or down or crashed.
> > 
> > http://people.redhat.com/sgrubb/audit/system-lifecycle.txt
> 
> A couple of very minor corrections to this first one:

Thanks, Applied.


> > The second standard is more of a forward looking standard. It explains how
> > the audit daemon and utilities will perform event enrichment before being
> > stored long term in an aggregator. The target for implementation is the
> > 2.5 release of the audit daemon.
> > 
> > http://people.redhat.com/sgrubb/audit/event-enrichment
> 
> How do you mean for IP address to be "resolved"?  Is this simply a
> matter of recording it?  Or would this be a reverse lookup on the local
> machine to get the opinion of what it should be from the DNS perspective
> of the local machine, assuming different machines in the logging domain
> could potentially have different views of DNS?

I think the latter. Bot-nets get shut down. Systems go away. Sometimes 
internal names differ from external names.

-Steve


> > Let me know if anyone has feedback on these standards, especially the
> > second one.
> > 
> > -Steve
> 
> - RGB
> 
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
> Red Hat Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545