Re: Application audit through auditd

On Wednesday, June 04, 2014 09:36:15 PM Burn Alting wrote: Several people lurking on this have. They may not chime in but I will give a few tips. If you are adding events of your own and they have nothinig to do with typical system operation, we have reserved the AUDIT_TRUSTED_APP record type for anyone to use. You can make the event into anything you want. If however you are doing something a typical system would do, Then you should map the event to another user space record type and write your event exactly in the same format as others of the same type. Analytical programs are sensitive this. All fields of existing events need to be filled in in the same format in the same order. If you have a new field that a user might be able to influence, then it must become encoded so that a crafty user does not trick the parsers thus avoiding detection. If you find yourself in that situation, there is a function audit_encode_nv_string() that should make it easy to do. Also, don't invent new names for fields. There is a comprehensive list in the auparse specification: http://people.redhat.com/sgrubb/audit/audit-parse.txt I might reorganize that document into something describing how to write well formed events. It should not. There will be some delay in sending an event as opposed to not sending one. But most applications that log do some very infrequently. I have heard of some that send quite a bit, too. But I think you'll see a lot of overall delays depending on what you have for the flush setting in auditd. If you can tolerate the loss of events if there's an oops, then you can set it to "none" and just let it go. -Steve