Re: New draft standards
On Tuesday, December 08, 2015 03:49:58 PM Richard Guy Briggs wrote:
On 15/12/08, Steve Grubb wrote:
> Hello,
>
> I would like to point out 2 new standards that have been posted to the
> linux audit web page. The first establishes the events around system
> start up and shutdown. This is important because it sets the session
> boundaries for when a system is up or down or crashed.
>
> http://people.redhat.com/sgrubb/audit/system-lifecycle.txt
A couple of very minor corrections to this first one:
Thanks, Applied.
> The second standard is more of a forward looking standard. It
explains how
> the audit daemon and utilities will perform event enrichment before being
> stored long term in an aggregator. The target for implementation is the
> 2.5 release of the audit daemon.
>
> http://people.redhat.com/sgrubb/audit/event-enrichment
How do you mean for IP address to be "resolved"? Is this simply a
matter of recording it? Or would this be a reverse lookup on the local
machine to get the opinion of what it should be from the DNS perspective
of the local machine, assuming different machines in the logging domain
could potentially have different views of DNS?
I think the latter. Bot-nets get shut down. Systems go away. Sometimes
internal names differ from external names.
-Steve
> Let me know if anyone has feedback on these standards,
especially the
> second one.
>
> -Steve
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems,
Red Hat Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545