On Fri, 2012-08-10 at 19:51 +1000, Burn Alting wrote:
Steve,
I will go ahead with my audispd child program that enriches logs and
use rsyslog to get them to a central repository.
I also plan to concatenate all messages belonging to the same event
(ie time:event_id) and send this as one syslog message to the central
repository.
I'd rather do this on the client systems rather than at my central
repository, in order to gain benefits from effectively, distributed
processing.
This sounds very useful, Burn.
In an EXECVE message there is something like:
args=2 a0="ls" a1="/etc"
It would be nice if this could be changed to something like
command="ls /etc".
One problem is that the shell script interprets wild cards before auditd
sees the command, and that can lead to long strings. So maybe that
situation could become something like:
something="ls /etc/aaa /etc/bbb /etc/ccc ..."
In most cases a human reader would recognise what is happening.
Also, sometimes the parameters are in hex instead of strings. For
example, when the parameter contains quotes.
Michael
-------