5:04 a.m.
I am new to the subject of user audit record.
I have some newbie questions.
Is it possible to generate these records in any language , python or java for example ?
Where can I find example or newbie documentation ?
Regards
Philippe
-----Message d'origine-----
De : linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] De la part de
linux-audit-request(a)redhat.com
Envoyé : vendredi 18 décembre 2015 18:00
À : linux-audit(a)redhat.com
Objet : Linux-audit Digest, Vol 135, Issue 9
Send Linux-audit mailing list submissions to
linux-audit(a)redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request(a)redhat.com
You can reach the person managing the list at
linux-audit-owner(a)redhat.com
When replying, please edit your Subject line so it is more specific than "Re:
Contents of Linux-audit digest..."
Today's Topics:
1. Re: Use case not covered by the audit library? (Steve Grubb)
2. Simple bug fix for PROCTITLE not being recognised with
ausearch --debug check (Burn Alting)
3. Re: New draft standards (Burn Alting)
4. Re: Simple bug fix for PROCTITLE not being recognised with
ausearch --debug check (Steve Grubb)
----------------------------------------------------------------------
Message: 1
Date: Thu, 17 Dec 2015 21:51:15 -0500
From: Steve Grubb <sgrubb(a)redhat.com>
To: "Gulland, Scott A" <scott.gulland(a)hpe.com>
Cc: Richard Guy Briggs <rgb(a)redhat.com>, "linux-audit(a)redhat.com"
<linux-audit(a)redhat.com>
Subject: Re: Use case not covered by the audit library?
Message-ID: <1484204.GzGFVCTWQh@x2>
Content-Type: text/plain; charset="us-ascii"
On Thursday, December 17, 2015 01:10:03 AM Richard Guy Briggs wrote:
> No, this is an HTTP server that handles standard HTTP requests
like
> GET, POST, PUT, and DELETE. The URI specifies what resource is
> being acted upon. These requests could come from something as
> simple as curl, or a full blown management application, or a web GUI
> (which is interactive in the browser). For example, you could issue
> a POST request to URI /openswitch/v1/users to create a new user.
> The body of the request would contain JSON or XML data indicating the user and
password. There are
> pre-determined actions/resources that can be changed. In standard REST
> APIs, all of the URIs, their parameters and the scheme of the body
> are documented and only these requests can be issued.>
>
>
> It's based on client/server and the client may or may not be interactive
> (e.g. a web browser). In these types of servers, we'd almost
> exclusively be using the audit_log_user_message() API with an event type
> of AUDIT_USYS_CONFIG. We're only logging configuration changes to the
> switch. I think I don't understand how the "message" parameter is
used
> in this call. The man page implies a simple text message, but
> looking at the audit.log file it appears to consist of a set of key-value
> pairs. Is my understanding correct?>
>
>
> My problem is I don't know what the proper set of "keys" are and the
> values they should contain. If my assumptions are correct, is there
> any documentation on on the key-value pairs and how to format the
> contents of the message parameter? Based on what I've seen in the
> audit log file, I would add "acct=<user>" to the contents of the
> message to reflect the particular authenticated user who issued the REST API call.
Well, Steve has published these as a starting point. I'm sure he'll
chime in when he sees your message.
http://people.redhat.com/sgrubb/audit/audit-events.txt
http://people.redhat.com/sgrubb/audit/audit-parse.txt
Thanks for pointing these out, Richard.
The basic guidance for AUDIT_USYS_CONFIG is to record old and new values.
Typically old values are prefixed with 'old-' and new values are the name of the
field with no prefix.
Any field that the user could influence the value has to be handled in such a way as to
not allow them to trick the parser if they are malicious. For the most part, we hex encode
those fields and then write some code to label the fields as encoded so that
interpretation can be done later.
Since your field names may not be official names in the audit system, you may have to
filter illegal characters the user sent during event construction and fill in spaces with
an underscore or dash.
-Steve
------------------------------
Message: 2
Date: Fri, 18 Dec 2015 14:20:44 +1100
From: Burn Alting <burn(a)swtf.dyndns.org>
To: "linux-audit(a)redhat.com" <linux-audit(a)redhat.com>
Subject: Simple bug fix for PROCTITLE not being recognised with
ausearch --debug check
Message-ID: <1450408844.14944.4.camel(a)swtf.swtf.dyndns.org>
Content-Type: text/plain; charset="utf-8"
Steve,
When ausearch is given the --debug option, malformed events are written to stderr. The
PROCTITLE type record is considered to be malformed. This patch corrects for this.
3289
days inactive
3289
days old
linux-audit@lists.linux-audit.osci.io
0 comments
1 participants
participants (1)
-
Maupertuis Philippe