Re: [PATCH] auvirt: a new tool for reporting events related to virtual machines
On Thursday, December 15, 2011 10:56:51 AM Marcelo Cerri wrote:
This patch adds a new tool to extract information related to virtual
machines from the audit log files. It can output a summary with
information about the number of events found with details by type of
record and operation. The tool can also output the filtered records as
found in the audit log.
Using the --avc option auvirt tries to correlate AVC records to the guests
based on its security context. It's also possible to select records related
to just one guest using the UUID or the guest name.
I'm wondering about this tool. It runs fine. But I thought you were wanting to do
some more sophisticated analysis of events. For example this is the current
output:
$ ./auvirt --file ../../../virt-audit.log
Total records: 6
Virt records: 6
Resource records: 4
Machine ID records: 1
AVC records: 0
Operations:
Start: 1
Stop: 0
Considered time:
Start: Tue Dec 20 09:33:01 2011
End: Tue Dec 20 09:33:01 2011
This is not much different than what can be reported by ausearch/report with the
new uuid and vm search fields. Also, testing with the uuid number doesn't seem to
get any hits. But using the vm name does.
I plan to add a very basic virt report to aureport soon. I was wondering if the
above is all anyone really wanted to see? I would think that perhaps you want
some info about start/stop assignment of resources, changes in resources, and
perhaps MAC or anomaly events related to a vm. But laid out like the aulast
program.
boot vm-name time (total runtime)
resource what-kind old-value new-value time (total time assigned)
avc access-type obj results time
shutdown vm-name time
and there might be other audit events associated with a vm.
-Steve