From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
Subject: Re: [PATCH] auvirt: a new tool for reporting events related to virtual
	machines
Date: Fri, 13 Jan 2012 17:45:14 -0200
Message-ID: <4F1089CA.2090501@linux.vnet.ibm.com>
References: <1323964611-30053-1-git-send-email-mhcerri@linux.vnet.ibm.com>
	<201201111648.46860.sgrubb@redhat.com>
	<4F1068F1.9060402@linux.vnet.ibm.com>
	<201201131423.14415.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id q0DJjSId008033
	for <linux-audit@redhat.com>; Fri, 13 Jan 2012 14:45:28 -0500
Received: from e24smtp01.br.ibm.com (e24smtp01.br.ibm.com [32.104.18.85])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0DJjQ2Q016908
	for <linux-audit@redhat.com>; Fri, 13 Jan 2012 14:45:27 -0500
Received: from /spool/local
	by e24smtp01.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <linux-audit@redhat.com> from <mhcerri@linux.vnet.ibm.com>;
	Fri, 13 Jan 2012 17:45:25 -0200
In-Reply-To: <201201131423.14415.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com
List-Id: linux-audit@redhat.com

I'm also suppressing the AVC records. Maybe "--all-events" or 
"--show-all-events". What do you think?

On 01/13/2012 05:23 PM, Steve Grubb wrote:
> Hello,
>
> On Friday, January 13, 2012 12:25:05 PM Marcelo Cerri wrote:
>> These are some output examples of auvirt. What do you think?
> I think you are on the right track.
>
>
>> I just added a "--full" option because libvirt can generate several
>> resource events and this can make the output confusing.
> Hmm. Why not call it --resource if its a resource specific report? Full to me
> implies everything for all guests.
>
>
>> $ ./auvirt
>> start guest-name-1    root    Tue Jan 10 11:05
>> stop  guest-name-1    root    Tue Jan 10 11:39
>> start guest-name-2    root    Wed Jan 11 15:23
>> start guest-name-2    root    Wed Jan 11 16:28
>> start guest-name-1    root    Wed Jan 12 19:47
> Why not collapse these into 1 line like last that shows a duration?
>
> start guest-name-1    root    Tue Jan 10 11:05 - 11:39 (00:34)
>
> Do you have any samples for when a guest is paused and restarted? I would also
> collapse those into a line showing the duration of the pause.
>
> pause guest-name-1    root    Tue Jan 10 11:15 - 11:30 (00:15)
>
>
>> $ ./auvirt --show-uuid
>> start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root    Tue Jan
>> 10 11:05
>> stop  guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root    Tue Jan
>> 10 11:39
>> start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root    Wed Jan
>> 11 15:23
>> start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root    Wed Jan
>> 11 16:28
>> start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root    Wed Jan
>> 12 19:47
>>
>> $ ./auvirt --summary # keep the same behaviour
>>
>> $ ./auvirt --uuid fb4149f5-9ff6-4095-f6d3-a1d03936fdfa
>> start guest-name-1    root    Tue Jan 10 11:05
>> stop  guest-name-1    root    Tue Jan 10 11:39
>> start guest-name-1    root    Wed Jan 12 19:47
>>
>> $ ./auvirt --vm-name guest-name-2
>> start guest-name-2    root    Wed Jan 11 15:23
>> start guest-name-2    root    Wed Jan 11 16:28
> Maybe it will be easier on admin's fingers to just call the above option --vm? I
> like shorter names if they make sense and are unambiguous.
>
>
>> $ ./auvirt --full --uuid f937029b-93ca-4e13-b40b-663f46323503
>> res   guest-name-2    root    Wed Jan 11 15:23    disk    "?"
>> "/images/guest-2.img"
>> res   guest-name-2    root    Wed Jan 11 15:23    vcpu    "0"    "4"
>> res   guest-name-2    root    Wed Jan 11 15:23    net     "?"
>> "52:54:00:DB:AE:B4"
>> res   guest-name-2    root    Wed Jan 11 15:23    mem     "?"    "1048576"
>> start guest-name-2    root    Wed Jan 11 15:23
>> avc   guest-name-2    root    Wed Jan 11 19:49    read
>> "/images/guest-2.img"    denied
>> res   guest-name-2    root    Wed Jan 11 15:23    mem     "1048576"
>> "2097152"
>> stop  guest-name-2    root    Wed Jan 11 16:28
> I would separate avcs and anomalies into a security report. Then for the
> resource section, I would rearrange the fields so the time is at the end and then
> show the duration so you collapse 2 lines (assignment and disposal) into 1 line.
>
> For things that are disposed of at shutdown, you can just put "down" like last
> does when users are logged out by the system shutdown.
>
> Overall, I think this is heading in the right direction.
>
> Thanks,
>   -Steve
>