From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: New draft standards Date: Tue, 29 Dec 2015 12:28:42 -0700 Message-ID: <5682DEEA.4040803@magitekltd.com> References: <3616972.XJnAnOOqWb@x2> <20151209233502.5a0efcb9@ivy-bridge> <1736195.o09BuzvBta@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2785707712793967177==" Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tBTJSrDJ017324 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 29 Dec 2015 14:28:53 -0500 Received: from mail-oi0-f51.google.com (mail-oi0-f51.google.com [209.85.218.51]) by mx1.redhat.com (Postfix) with ESMTPS id 176815D for ; Tue, 29 Dec 2015 19:28:51 +0000 (UTC) Received: by mail-oi0-f51.google.com with SMTP id l9so164322816oia.2 for ; Tue, 29 Dec 2015 11:28:51 -0800 (PST) Received: from [192.168.13.6] (99-197-98-103.cust.wildblue.net. [99.197.98.103]) by smtp.googlemail.com with ESMTPSA id mj8sm21791889obc.25.2015.12.29.11.28.46 for (version=TLSv1/SSLv3 cipher=OTHER); Tue, 29 Dec 2015 11:28:50 -0800 (PST) In-Reply-To: <1736195.o09BuzvBta@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a cryptographically signed message in MIME format. --===============2785707712793967177== Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020900040003070704030806" This is a cryptographically signed message in MIME format. --------------ms020900040003070704030806 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable On 12/14/2015 08:34 AM, Steve Grubb wrote: > That is not exactly what I proposed. What I was proposing was to record= the > translation of things that could change between systems and thus preven= t > correct interpretation later. Doing all translations is technically pos= sible > but would slow down auditd just a bit and increase the amount of data o= n disk. > But doing this is not really necessary for the native audit tools. > > But I guess this gives me an opportunity to ask the community what tool= s they > are using for audit log collection and viewing? Its been a couple years= since > e had this discussion on the mail list and I think some things have cha= nged. > > Do people use ELK? > Apache Flume? > Something else? > > It might be possible to write a plugin to translate the audit logs into= the > native format of these tools. Sorry for the late reply. Translating the salient details is for me=20 important. This is especially true on systems where: - aggregation is happening from one or more different machines (and=20 cannot assume federated UIDs), and - where records are required to be kept over long periods of time=20 (system updates happen, UIDs are changed, people leave, etc) I realize it carries a processing burden somewhere; this is inevitable=20 and I believe we'll need to design for this. We're auditing for a reason; we need proof of who did what and in=20 varying degrees I believe this means persistence of accountability. Because I'm almost a one-stop shop where I work, and the auditing=20 requirements are specific and particular, I have a homegrown log=20 collection and viewing solution for now but would prefer to incorporate=20 a flexible, more useful user tool. So I'm in the "something else"=20 category but somewhat open to change. LCB --=20 LC (Lenny) Bruzenak lenny@magitekltd.com --------------ms020900040003070704030806 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CjMwggUOMIID9qADAgECAhMGc8hz87u9/IgmoxZ7JlzlxY85MA0GCSqGSIb3DQEBCwUAMIGk MQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAf BgNVBAoTGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjEsMCoGA1UEAxMjVHJ1c3R3YXZlIFMv TUlNRSBTSEEyNTYgQ0EsIExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5j b20wHhcNMTUwODA2MTgwNTQ2WhcNMTYwODA2MDAwNTQ2WjBxMR0wGwYDVQQDDBRsZW5ueUBt YWdpdGVrbHRkLmNvbTEOMAwGA1UECgwFc21pbWUxDjAMBgNVBAgMBXNtaW1lMQswCQYDVQQG EwJVUzEjMCEGCSqGSIb3DQEJARYUbGVubnlAbWFnaXRla2x0ZC5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDJ4Xo2HMH2rNe9lOGKseU7esY9yh/et+eNq7VprQaRxN+k iUMR+myVsMIGojkkl+SoK5xX09Tr2xqw3wg68C1qeLlWCDMhtx1VQybTq8Hg4vsK5CScYj75 4hD7Xdwnwv52HQBELQLrZxEcG1qmusdiL3x+44BcuUbLLYq8qYmEmpKn2qdasU2HCiYIUskQ 58sieJ4jRU8ggwRYpMuwU3Re3+b3DlAUki02wN09AUy2VK7p2nSJZWQeW6KQyoh9tPYp3ton ELnJLWi1gyH0CBL091dtlFyvt0O641lo7Ts1fSba+StFHgD3+lgX2Vr+Dy+yPGfnFi7n8Y7s 9jDAex79AgMBAAGjggFpMIIBZTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUE DDAKBggrBgEFBQcDBDAdBgNVHQ4EFgQULQCAoxZmLUNSDsRsmSbWb6qzsGswHwYDVR0jBBgw FoAUDDOjV6rjq9ZLcBs2nqPtYVDmr3QwSAYDVR0gBEEwPzA9Bg8rBgEEAYHtGAMDAwUEAwMw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly9zc2wudHJ1c3R3YXZlLmNvbS9DQTA2BgNVHR8ELzAt MCugKaAnhiVodHRwOi8vY3JsLnRydXN0d2F2ZS5jb20vU01DQTJfTDEuY3JsMHEGCCsGAQUF BwEBBGUwYzAmBggrBgEFBQcwAYYaaHR0cDovL29jc3AudHJ1c3R3YXZlLmNvbS8wOQYIKwYB BQUHMAKGLWh0dHA6Ly9zc2wudHJ1c3R3YXZlLmNvbS9pc3N1ZXJzL1NNQ0EyX0wxLmNydDAN BgkqhkiG9w0BAQsFAAOCAQEAW5VU+iGmdkZtVGwvzMOxLzpuSDXSUEwd22p2NaTsyrz946V3 Buzkf3LrjIc8lhQZ/YEIHuu2ptXgPnwmvf/koCSqHcGMdMZiImXOST8LyifyZBrVn35Oqax0 2fU54tHSbsSFzP5D1WrSE9L3bBQVo5DAXeoQxXY+kb2pjBcBm5tQ3BELVueizdfKt2ICNF68 aCW9TXO0F1Wgmb3u08om14axdNDGtlHeFUwWz9wbiBFhUnE1UMOcC4wCeuMBMBbv4ipT5Aja z8yDlEx0AWrQRe0HQjjAre4pJxGSOURXaycyP3fXlmfjJIudsnlHBPpaDiWjfQO0EUinYBiV B0PYCzCCBR0wggQFoAMCAQICEDqDtx7gLDzKHOGiZD6bZuowDQYJKoZIhvcNAQELBQAwgYIx CzAJBgNVBAYTAlVTMR4wHAYDVQQLExV3d3cueHJhbXBzZWN1cml0eS5jb20xJDAiBgNVBAoT G1hSYW1wIFNlY3VyaXR5IFNlcnZpY2VzIEluYzEtMCsGA1UEAxMkWFJhbXAgR2xvYmFsIENl cnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE0MTAwMTE5MjIzOFoXDTI0MDkyODE5MjIzOFow gaQxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEh MB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMSwwKgYDVQQDEyNUcnVzdHdhdmUg Uy9NSU1FIFNIQTI1NiBDQSwgTGV2ZWwgMTEfMB0GCSqGSIb3DQEJARYQY2FAdHJ1c3R3YXZl LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHOSOYIg9MBIfkbqCyCZA+2 upgZZvmM07V0nnxno1VWLaY3JZFJeAuIRH0DAlHKwZ1NzkR1aa14v0PNnSjRT2nPBSPW4/Jr atHI3Ug31ySn3X+dsD1504wEsCsoSbfgqCYpPhc+9igJI8YvjlEqVnUAXgEK2nW7buFBhU4D 3LlP3MKRfCdIOAhpP7GlSpJCTaaucKqX0EWJdNuRcim85kY6oQf02qaB5WxzEO2nqGfqrQwv nlpxNwKk1B8deGeX3oIy0EZj1qqnXmWn7YaLoJWxLh7eAHss3n0wzcMl41IkQ/59JGjTVvpX LC6cO6LsNTlPJsENAuy6DyZY6V0Y7zsCAwEAAaOCAWkwggFlMBIGA1UdEwEB/wQIMAYBAf8C AQAwHQYDVR0OBBYEFAwzo1eq46vWS3AbNp6j7WFQ5q90MA4GA1UdDwEB/wQEAwIBhjBIBgNV HSAEQTA/MD0GDysGAQQBge0YAwMDBQQDAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3NzbC50 cnVzdHdhdmUuY29tL0NBMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9jcmwudHJ1c3R3YXZl LmNvbS9YR0NBLmNybDBsBggrBgEFBQcBAQRgMF4wJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw LnRydXN0d2F2ZS5jb20wNQYIKwYBBQUHMAKGKWh0dHA6Ly9zc2wudHJ1c3R3YXZlLmNvbS9p c3N1ZXJzL1hHQ0EuY3J0MBMGA1UdJQQMMAoGCCsGAQUFBwMEMB8GA1UdIwQYMBaAFMZPoj0G Y4QJnM5i5ASsjVy16bYbMA0GCSqGSIb3DQEBCwUAA4IBAQCHRix7n1HoMxSlQUFVrN2ACBag nCb3WpNeEzESJsSbJ0Fi8/oyFtKJQtCQE2OjYMQG4yCQOMLVv7QPq4BOlnAOct2yzd20TEFQ 0rul9uoZFY78KOP1WMpDqd3vQqpX3oCQLK6gUCl5FKRG2BJpqK18Y+v++Hv/8cF089F0tAUv XF4TjZU0H38iZzHi2rp80EtcfzLwC3zwhwmQkznyw5sMpSrRx7vldirNB1fma8wgUUeVtzIR k1Oz6TRDEMMhhfjBuXmU3dI8sTkjo2l0Ju4g4dLRv4imWXoJ+QITXWhxO+EBB04yvrXi0JaO tEBgZHnMs2pIFWGfxM2pc/J0MIQgMYIEZTCCBGECAQEwgbwwgaQxCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEhMB8GA1UEChMYVHJ1c3R3YXZl IEhvbGRpbmdzLCBJbmMuMSwwKgYDVQQDEyNUcnVzdHdhdmUgUy9NSU1FIFNIQTI1NiBDQSwg TGV2ZWwgMTEfMB0GCSqGSIb3DQEJARYQY2FAdHJ1c3R3YXZlLmNvbQITBnPIc/O7vfyIJqMW eyZc5cWPOTANBglghkgBZQMEAgEFAKCCAnkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc BgkqhkiG9w0BCQUxDxcNMTUxMjI5MTkyODQyWjAvBgkqhkiG9w0BCQQxIgQgf9atd1Ox7wVw D7zd8gvDIuNY4wlFWEUEiubBCbw+uMYwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASow CwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBzQYJKwYBBAGCNxAEMYG/MIG8MIGkMQswCQYD VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoT GFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjEsMCoGA1UEAxMjVHJ1c3R3YXZlIFMvTUlNRSBT SEEyNTYgQ0EsIExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20CEwZz yHPzu738iCajFnsmXOXFjzkwgc8GCyqGSIb3DQEJEAILMYG/oIG8MIGkMQswCQYDVQQGEwJV UzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xITAfBgNVBAoTGFRydXN0 d2F2ZSBIb2xkaW5ncywgSW5jLjEsMCoGA1UEAxMjVHJ1c3R3YXZlIFMvTUlNRSBTSEEyNTYg Q0EsIExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20CEwZzyHPzu738 iCajFnsmXOXFjzkwDQYJKoZIhvcNAQEBBQAEggEAlHR6UmxO075k3P93VM216xdx3jDnNOid F8ge7Vy4lo3Ka4aU77OB1yw8DTuOuLX494GwNZoSbDClzzFKX4WycaqZ4BZT7XoLBDWDGPTI vXVVnsA15+IyryuWut1eQCaaju/LitmCl6r3vKG6IksHhIA4gSlLv3Dyu52d3dFhrS9sDWMB 7B/5M+STfdRSIQoaER0g/BsYONrZ5vaSKzNU4Kkh7mwtUfoRkejb8vb7ljdp4pO6ZPw6PKHc 2uVtlkPNx3WQPqkAu6V0QALzJA6uDXmVnetsKlNq/3I287VVMIdGJPoMGfuSnIxFbDGINn/B ADv+GPg5rKlGFWTz4d5rDgAAAAAAAA== --------------ms020900040003070704030806-- --===============2785707712793967177== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2785707712793967177==--