Re: audit aggregation
On Wednesday 30 January 2008 12:26:12 LC Bruzenak wrote:
Just a thought from someone who is following this list closely b/c
I'm
tasked with setting up a multi-host system auditing capability - one
thing Steve G. mentioned was:
> > it both decodes AND performs contextual substitution. Contextual
> > substitution only has meaning when applied on the same host and at
> > approximately the same time as when the audit record was generated.
>
> Correct. You are talking about something the library does not handle
> today. The reason is because there is no designed method to aggregate
> logs. So, when that work is done, auparse will be fixed up to handle
> the situation.
I have been thinking about how to solve this also; I bet I'm not alone.
The audit records are fairly self contained except user and groups.What I'm
thinking is that when the audit daemon starts up/rotates logs, it would send
an event that records all user/groups. This may not be needed for sites using
a network based identity system. So, it would probably be a config option in
auditd.conf just like whether or not to include node information. If the
record exists, auparse would cache it for reference in case interpretations
are needed for that host. It would replace the cached record when another for
the same host comes along.
Another possibility would be to have the sending site to do an immediate
translation of user/group and add that to the record. This could cause
records to get longer. So its got some drawbacks.
So if/when changes are made I'd be grateful if it is included.
I'll be
willing to participate as required.
Sure, I'll probably be starting into this during February. One complication is
that I need to reserve a port with IANA. Being that audit data is important,
you would want to be on a port < 1024 to prevent any spoofing. But in order
to get a port < 1024, you need to have an IETF RFC.
ps: Steve the prelude plugins are excellent!
I should be releasing a new audit package in the next few days. I've gotten
some excellent feedback from the prelude developers and I'm incorporating the
changes they suggested. I'm adding a few more events this time around, too.
-Steve