Re: [RFC] Virtual machine related events support

On Friday, November 11, 2011 05:26:20 PM Marcelo Cerri wrote: > Hi, > > We are working on a project in which we need to get some events from > audit log related to virtual machine events and filter these events per > guests. Currently, the audit tools doesn't support this kind of search. > However we are willing to implement the necessary features to support it > and we'd like to receive some feedback from audit stakeholders on our > proposal. > > Most of these records are generated by libvirt, but some of them are > generated by SELinux (as AVC denials). To get events generated by > libvirt, we'd like to search through audit records using the both "uuid" > and "vm" fields. > The following records are examples of both types of records that we > intend to filter: > > type=VIRT_RESOURCE msg=audit(1319602467.134:33): user pid=14103 uid=0 > auid=4294967295 ses=4294967295 msg='resrc=disk reason=start > vm="CentOS-Guest" uuid=41ffecd5-037e-0059-b074-ab2bf354fd0a old-disk="?" > new-disk="/var/lib/libvirt/images/CentOS-Guest.img": > exe="/usr/sbin/libvirtd" (hostname=?, addr=?, terminal=? res=success)' > type=AVC msg=audit(1318529059.690:801): avc: denied { read } for > pid=31199 comm="qemu-kvm" name="RHEL6.img" dev=dm-0 ino=524635 > scontext=system_u:system_r:svirt_t:s0:c99,c999 > tcontext=system_u:object_r:svirt_image_t:s0:c390,c835 tclass=file > > While "vm" field contains the domain name and it's a more user friendly > identifier, it's intended to be a unique only within the scope of a > single host. On the other hand, "uuid" field is intended to be a global > identifier. > > We'd like to create a stand-alone tool, similar to aulast, to filter > this kind of events and that could be part of audit's tools. It'd be > able to list VM specific events, and filter these events by UUID or VM > name if needed. We are intended to support the following usage/options > (any suggestions are welcome): > > Usage: auvirt [ options ] [ uuid | vm-name ] > > Options: > > --summary(default) > Write a formatted output containing summarized information as > considered time period, total number of VM specific events, > total > number of events by type (start, stop, resource change) and > total > number of AVC events. > > --raw > Write records related to guests as shown in audit.log. The > output may contain the following record types: VIRT_CONTROL, > VIRT_RESOURCE, VIRT_MACHINE_ID and AVC. > > -f file, --stdin > Same as aulast. > > We intend to correlate AVC denial events to guests through the security > label used by a guest in a specific period. This sounds fine. > Another proposal would be change ausearch to support two new search > options: > > -uu, --uuid vm-uuid > Search for an event with the given UUID. > > -vm, --vm-name vm-name > Search for an event with the given virtual machine name. This sounds fine. > However, these fields are defined by libvirt and it may be a good idea > to add to libaudit a new "audit_log_*" function to enforce a standard > message format for VM related events that could be used by other > virtualization tools. This also sounds fine. I was also considering making a very basic report in aureport but as you can see from aulast, sometimes a special dedicated report is better for different kinds of uses. -Steve