[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: audit 0.6 release



I have a working (but rough) perl script and accompanying module that
will do the following:

1.  delete all existing rules shown by '/sbin/auditctl -a'

Given a list of user names, directories of interest, and system call
names:
  
2.  add rules to report all exit!= 0 for all calls and user names of
interest

3.  run a query on an audit log and spit out info on lines of interest

Given the present state of auditd messages this is the best I can come
up with for now.  I think it is easiy modifiable for those interested.
One thing I know it needs now is a list of specific return codes of
interest for the query.

By the way, I see that there are not always pairs of messages.  If a
syscall has at least one accompanying message it has 'items=1' (or more
sometimes I guess).  So while querying I check for that and look behind
one line for additional info if appropriate.  There may be other gotchas
I gain more experience sifting through the log.

Let me know if you want a copy.

-Tom Browder


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]