From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Cerri Subject: Re: [PATCH] auvirt: a new tool for reporting events related to virtual machines Date: Fri, 27 Jan 2012 14:37:00 -0200 Message-ID: <4F22D2AC.9050404@linux.vnet.ibm.com> References: <1323964611-30053-1-git-send-email-mhcerri@linux.vnet.ibm.com> <201201111620.06515.sgrubb@redhat.com> <4F1EF3B8.5080303@linux.vnet.ibm.com> <201201241527.40706.sgrubb@redhat.com> <4F1FFC0A.2070807@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q0RGb8YK006735 for ; Fri, 27 Jan 2012 11:37:08 -0500 Received: from e24smtp05.br.ibm.com (e24smtp05.br.ibm.com [32.104.18.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0RGb57e003949 for ; Fri, 27 Jan 2012 11:37:06 -0500 Received: from /spool/local by e24smtp05.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 27 Jan 2012 14:37:04 -0200 In-Reply-To: <4F1FFC0A.2070807@linux.vnet.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, gcwilson@us.ibm.com, bryntcor@us.ibm.com List-Id: linux-audit@redhat.com I submitted a patch to libvirt to add the qemu pid (vm-pid) to the VIRT_CONTROL audit record. I'm using this field to correlate anomaly events to guest in auvirt and as a fallback it tries to use the SELinux context for that. Regards, Marcelo On 01/25/2012 10:56 AM, Marcelo Cerri wrote: > I agree that pid and time is a better way for correlation but I was > coding a solution based on that when I figured out a problem. There's > no qemu pid in the audit logs. Libvirt (at least the libvirt shipped > with RHEL 6.2) always logs its own pid to the audit log. > > I'll try to discover if there is another way to correlate them or if > newer versions of libvirt log the qemu pid to the audit log. > > Regards, > Marcelo > > On 01/24/2012 06:27 PM, Steve Grubb wrote: >> On Tuesday, January 24, 2012 01:08:56 PM Marcelo Cerri wrote: >>> I took a look at some anomaly events and I'm thinking to correlate them >>> to guests based on the SELinux context or maybe based on the pid field. >>> >>> Do you think there is another ways to correlate them? >> I was thinking to correlate them based on the time and pid. If its >> within the >> time range between startup/shutdown and its the same pid, then you >> have the >> event correlated. If its outside the time range or a different pid, >> then you do >> not have correlation. I would not look at selinux label because not all >> systems/distros have it enabled or compiled in. So, pid and time are >> the most >> universal identifiers for correlation. >> >> -Steve >> > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >