Hi,
I have a scenario of a mixed collection of Linux systems, some that have users authenticate via a central ldap, others have local (/etc/passwd) authentication.
This means I cannot 100% depend that the user name say, fred, with uid 1000, has the same uid on every machine he has an account on. Thus before I send my logs to
a central server, I want to enrich them with user and group names I validate at the local machine. That is, I want to change an event's ids from
.... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43 sgid=43 fsgid=43 ....
to
.... uid=1000(fred) gid=1000(prog) euid=1000(fred) suid=1000(fred) fsuid=1000(fred) egid=43(utmp) sgid=43(utmp) fsgid=43(utmp) ....
I BELIEVE my best approach is use the event multiplexor (audispd) to convert raw logs via a child program, say based on the sample code, audisp-example (i.e. using the auparse library)
and send the output of this audisp-example variant to syslog to get the event to a central repository.
Is this the best approach?
Are there parameters I should consider for audisp.conf (e.g. q_depth = 99999)? Does such a configuration option in audisp.conf suggest I make the buffer size set in audit.rules to something higher?
Is there any consideration to having auditd have a option to directly generate user and group names in addition to uid and gids?
Thanks in advance
Burn