Re: Advice on enriching logs with user and group names before moving them to a central log repository

[Guillaume Destuynder <gdestuynder@mozilla.com>]

I'm doing something similar on an audisp plugin as you mentionned. It's
part of a different plugin that changes the log format (to CEF) and does
a few other things, so unfortunately only some snippets would help you.

For user names eg:
        auid = auparse_find_field(au, "auid");
        if (auid) {	
         i = auparse_get_field_int(au);
          if (i != -1)
            if (getpwuid_r(i, &pwd, buf, bufsize, &result) == NULL)
               //too late

The functions available for the plugin interface really make making your
own plugins very easy :)

Works ok except for the ppid. Not sure how to get the ppid's process
name in userspace other than reading /proc and in any case it happens
the parent process died before you read the name. It would need to be
passed from the kernel to be more reliable.

Note that the same issue exists for uids, it's just that its a lot more
rare: user would need to be deleted between the uid audit message is
passed and the name lookup.

It might still be an idea to have auparse_get_uid(au) etc.


Guillaume

On 08/02/2012 06:54 AM, John Dennis wrote:
> On 08/02/2012 06:54 AM, Burn Alting wrote:
>> Hi,
>>
>> I have a scenario of a mixed collection of Linux systems, some that have
>> users authenticate via a central ldap, others have local (/etc/passwd)
>> authentication.
>> This means I cannot 100% depend that the user name say, fred, with uid
>> 1000, has the same uid on every machine he has an account on.  Thus
>> before I send my logs to
>> a central server, I want to enrich them with user and group names I
>> validate at the local machine. That is, I want to change an event's
>> ids from
>>
>>     .... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43
>>     sgid=43 fsgid=43 ....
>>
>> to
>>
>>     .... uid=1000(fred) gid=1000(prog) euid=1000(fred) suid=1000(fred)
>>     fsuid=1000(fred) egid=43(utmp) sgid=43(utmp) fsgid=43(utmp) ....
>>
>>
>> I BELIEVE my best approach is use the event multiplexor (audispd) to
>> convert raw logs via a child program, say based on the sample code,
>> audisp-example  (i.e. using the auparse library)
>> and send the output  of this audisp-example variant  to syslog to get
>> the event to a central repository.
>>
>> Is this the best approach?
>>
>> Are there parameters I should consider for audisp.conf (e.g. q_depth =
>> 99999)? Does such a configuration option in audisp.conf suggest I make
>> the buffer size set in audit.rules to something higher?
>>
>> Is there any consideration to having auditd have a option to directly
>> generate user and group names in addition to uid and gids?
> 
> A while ago we were actively working on central log aggregation and ran
> into exactly this problem. There are a number of items in an audit log
> whose value can only be interpreted on the machine the event occurred on
> and at the moment the event occurs (or within a short duration).
> 
> There were plans to author a audit plugin that would augment the data
> items with their (interpreted) value. I'm not sure whatever happened to
> that plugin. Steve, can you elaborate?
> 
>