Offline audit trail analysis
by Todd, Charles
Thanks to Steve for being our biggest target for questions on this list!
Has anyone talked about sane ways to do offline analysis of Linux audit
logs? Presumably, this would be on another Linux system, but maybe not
the same host, and probably not on the same release or with the same
username/IP address access. Conceptually, ausearch would save and
optionally read a system's "configuration" to be saved for
interpretation later.
My goal is central logging, but doing the reporting/analysis on the
central host. That way, I can see a user across the Enterprise (or at
least in the Linux hosts), but with all the power of ausearch for
refining the report. Ideally, I would do an ausearch -ts <date> -te
<date> --raw --config-to=<hostname.ausearch.config> and it would do
things like saving the syscall lookup table, lookup users referenced in
the reported audit trail, and resolve IP addresses references in the
reported audit trail. Maybe one config file could be written for each
data type in an existing format (e.g. users in /etc/passwd format, hosts
in /etc/hosts format, etc.). I'm mainly after whether or not anyone has
considered extending ausearch for this kind of processing?
This way, an archive of raw logs could be kept along with the exact
system configuration which allows offloading the audit trail analysis to
a trusted location, rather than risk side effects from a rootkit.
Charlie Todd
Ball Aerospace & Technologies Corp.
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
17 years, 3 months
comparing record ids in auparse
by John Dennis
In the functions auparse_timestamp_compare() and events_are_equal() the
host field is not checked, is that by design or omission? Should two
different events from two different hosts be comparable?
On a side note, the use of the term timestamp in symbol names like
auparse_timestamp_compare() seems misleading because the item in
question is not really a timestamp, rather its an event identifier which
contains some time information. Are we too far down the road to call
this object an 'event_id'?
--
John Dennis <jdennis(a)redhat.com>
17 years, 3 months
audit 1.6.1 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- External plugin support in place
- Updated system-config-audit with some bug fixes. (Miloslav Trmac)
- Add missing newline to string output of event dispatcher.
- Fix reference counting in auparse python bindings (#263961)
- Moved default af_unix plugin socket to /var/run/audispd_events
This release finalizes support for external audit event dispatcher plugins.
I've included a sample plugin that simply writes to syslog any events it
receives. At this point i think people can start writing plugins to do
analysis work, protocol conversion, alerting, or remote logging. At some
point, I will update the plugin sample to should how the audit parsing
library could be used to watch for bad logins and syslog it.
Please let me know if you run across any problems with this release.
-Steve
17 years, 3 months
[RFC] include audit type in audit message when using printk
by John Johansen
Currently audit drops the audit type when an audit message goes through
printk instead of the audit deamon. This is a minor annoyance in
that the audit type is no longer part of the message and the information
the audit type conveys needs to be carried in, or derived from the
message data.
The attached patch includes the type number as part of the printk.
Admittedly it isn't the type name that the audit deamon provides but I
think this is better than dropping the type completely.
---
kernel/audit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1354,7 +1354,8 @@ void audit_log_end(struct audit_buffer *
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else {
- printk(KERN_NOTICE "%s\n", ab->skb->data + NLMSG_SPACE(0));
+ struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
+ printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
}
}
audit_buffer_free(ab);
17 years, 3 months
