I am trying to add DB support to Audit. What kind of DB support is expected
& would be most useful. Should it be on the basis of
1.) Ranges of netlink messages , ie.
* * 000 - 1099 are for commanding the audit system*
* * 1100 - 1199 user space trusted application messages*
* * 1200 - 1299 messages internal to the audit daemon*
<
http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L34>*
* 1300 - 1399 audit event messages*
* * 1400 - 1499 SE Linux use*
<
http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L36>*
* 1500 - 1599 kernel LSPP events*
<
http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L37>*
* 1600 - 1699 kernel crypto events*
<
http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L38>*
* 1700 - 1799 kernel anomaly records*
<
http://www.gelato.unsw.edu.au/lxr/source/include/linux/audit.h#L39>*
* 1800 - 1999 future kernel use (maybe integrity labels and related
events)*
nd etc , or
2.) The tables should be based on each type of record coming in the
logs(which would be a daunting task).
Is there any other way i can use the audit logs, and do some classification
of the records in an efficient manner in the database as tables? What should
be the classification factor for the tables in the DB?
Please reply ,
Thanking You,
Mukul Khullar.