From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
Subject: [RFC] Virtual machine related events support
Date: Fri, 11 Nov 2011 20:26:20 -0200
Message-ID: <4EBDA10C.40704@linux.vnet.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id pAC6QQq7031255
	for <linux-audit@redhat.com>; Sat, 12 Nov 2011 01:26:26 -0500
Received: from e24smtp05.br.ibm.com (e24smtp05.br.ibm.com [32.104.18.26])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id pAC6QPrR010935
	for <linux-audit@redhat.com>; Sat, 12 Nov 2011 01:26:25 -0500
Received: from /spool/local
	by e24smtp05.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <linux-audit@redhat.com> from <mhcerri@linux.vnet.ibm.com>;
	Sat, 12 Nov 2011 04:26:23 -0200
Received: from d24av04.br.ibm.com (d24av04.br.ibm.com [9.8.31.97])
	by mailhub1.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id
	pABMRO3K1319368
	for <linux-audit@redhat.com>; Fri, 11 Nov 2011 20:28:08 -0200
Received: from d24av04.br.ibm.com (loopback [127.0.0.1])
	by d24av04.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id
	pABMQkCN009160
	for <linux-audit@redhat.com>; Fri, 11 Nov 2011 20:26:46 -0200
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: gcwilson@us.ibm.com, bryntcor@us.ibm.com
List-Id: linux-audit@redhat.com

Hi,

We are working on a project in which we need to get some events from 
audit log related to virtual machine events and filter these events per 
guests. Currently, the audit tools doesn't support this kind of search. 
However we are willing to implement the necessary features to support it 
and we'd like to receive some feedback from audit stakeholders on our 
proposal.

Most of these records are generated by libvirt, but some of them are 
generated by SELinux (as AVC denials). To get events generated by 
libvirt, we'd like to search through audit records using the both "uuid" 
and "vm" fields.
The following records are examples of both types of records that we 
intend to filter:

type=VIRT_RESOURCE msg=audit(1319602467.134:33): user pid=14103 uid=0 
auid=4294967295 ses=4294967295 msg='resrc=disk reason=start 
vm="CentOS-Guest" uuid=41ffecd5-037e-0059-b074-ab2bf354fd0a old-disk="?" 
new-disk="/var/lib/libvirt/images/CentOS-Guest.img": 
exe="/usr/sbin/libvirtd" (hostname=?, addr=?, terminal=? res=success)'
type=AVC msg=audit(1318529059.690:801): avc:  denied  { read } for 
pid=31199 comm="qemu-kvm" name="RHEL6.img" dev=dm-0 ino=524635 
scontext=system_u:system_r:svirt_t:s0:c99,c999 
tcontext=system_u:object_r:svirt_image_t:s0:c390,c835 tclass=file

While "vm" field contains the domain name and it's a more user friendly 
identifier, it's intended to be a unique only within the scope of a 
single host. On the other hand, "uuid" field is intended to be a global 
identifier.

We'd like to create a stand-alone tool, similar to aulast, to filter 
this kind of events and that could be part of audit's tools. It'd be 
able to list VM specific events, and filter these events by UUID or VM 
name if needed. We are intended to support the following usage/options 
(any suggestions are welcome):

    Usage: auvirt [ options ] [ uuid | vm-name ]

    Options:

         --summary(default)
             Write a formatted output containing summarized information as
             considered time period, total number of VM specific events, 
total
             number of events by type (start, stop, resource change) and 
total
             number of AVC events.

         --raw
             Write records related to guests as shown in audit.log. The
             output may contain the following record types: VIRT_CONTROL,
             VIRT_RESOURCE, VIRT_MACHINE_ID and AVC.

         -f file, --stdin
             Same as aulast.

We intend to correlate AVC denial events to guests through the security 
label used by a guest in a specific period.

Another proposal would be change ausearch to support two new search 
options:

  -uu, --uuid vm-uuid
      Search for an event with the given UUID.

  -vm, --vm-name vm-name
      Search for an event with the given virtual machine name.

However, these fields are defined by libvirt and it may be a good idea 
to add to libaudit a new "audit_log_*" function to enforce a standard 
message format for VM related events that could be used by other 
virtualization tools.

Please, send your commentaries and suggestions.

Regards,
Marcelo Cerri