From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Cooked audit log format Date: Sun, 11 May 2008 22:40:48 +0100 Message-ID: <482767E0.10506@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0831434825==" Return-path: Received: from pobox.fab.redhat.com (pobox.fab.redhat.com [10.33.63.12]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4BLertQ010441 for ; Sun, 11 May 2008 17:40:53 -0400 Received: from mbooth.redhat.laptop (sebastian-int.corp.redhat.com [172.16.52.221]) by pobox.fab.redhat.com (8.13.1/8.13.1) with ESMTP id m4BLepYu024951 for ; Sun, 11 May 2008 17:40:52 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0831434825== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig67040A5C4513AA6B11BC272F" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig67040A5C4513AA6B11BC272F Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable As recently mentioned, Linux audit logs[1] are fairly hideous, and=20 although machine readability may have been a design goal, I'd argue=20 they're not too friendly in that regard either. I suspect, in fact, that = the principal driver has been machine producability ;) I've noticed that a number of utilities cook the logs slightly. I've=20 shied away from this to date because I want to be able to leverage=20 existing tools. However, if some standard emerged (or has emerged and I=20 missed it) for cooked logs, I'd be extremely interested in implementing=20 that. Simple starters would include: * Translating the architecture and syscall names into human. * Jumping one way or the other with the hex strings business. * Translating socket addresses into human. * Translating timestamps into human. * Ditching uninteresting records, such as PATH with no name for the=20 dynamic linker, and 2 PATH records when execing a script. with an ultimate goal of: * Defining an expected set of data for every system call and putting=20 them all on a single line in a well defined format. Is anybody doing any work in this direction? Matt [1] Of course, they're really accounting logs produced by the accounting = daemon. If you actually audit your accounting logs, this seemingly=20 pedantic point can become quite confusing. --=20 Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --------------enig67040A5C4513AA6B11BC272F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIJ2fkNEHqGdM8NJARApu1AJ9O5QmbEd07uyjJAwHdfi+Zzu8gTwCeP9zs Z8KvU6j2LjhYOXaOu5Uz7uo= =/vj7 -----END PGP SIGNATURE----- --------------enig67040A5C4513AA6B11BC272F-- --===============0831434825== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0831434825==--