Re: creating and inserting audits
On Tue, 2010-09-07 at 16:38 -0400, Nestler, Roger - IS wrote:
Does this capability exist already in linux audit and I’m just not
seeing it???
man audit_log_user_message
Is it a bad idea to build and then to insert a custom audit/message,
or any standard audit, into the audit.log file?
Nope.
If so are there any problems to look out for , e.g event id/sequence
number collisions, auparse or ausearch problems, formatting issues to
adhere to???
The text in the audit_log_user_message is not really freeform-safe, and
it is practically limited to somewhere around 900+ bytes (from a kernel
setting, unless it has been updated since).
The parser will throw away some of your records if the text matches what
it is looking for elsewhere. Maybe Steve can point out the specs. For
example, I had this one:
> # ausearch -ts this-week -a 22476
> <no matches>
>
> in the raw log:
> node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644
ouid=ntp
> ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> res=success)'
>
> Any clues?
When ausearch finds a malformed record, it discards it as a safety
measure.
-Steve
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com