All, Some of you may remember the post a month or two back about an audit dispatcher that converts the output of auditd, into one-line-per-event/one-event-per-line. I've reached an alpha state for this program, and would appreciate comments/suggestions etc. Features: * Takes the output from auditd, and migrates the data into something that is suitable for applications that expect an event to be self contained on a single line. * Tries to extrapolate usernames from userids (using an internal cache if it can, to cut down on the getpw* calls) so that a centralised audit collection system doesn't have to keep a UID->username mappings for all systems. * Turns eventID numbers into event names (multi-arch compatible). * Filters audit log data based on administrator-configurable objectives. * Automatically turns on events as appropriate, based on the administrators defined objectives. * Internal/Embedded web server for remote control of the audit configuration, and (to a certain extent) review of the most recently received audit events. Fully contained within the code - no external files accessed to build the web pages (except the config file). The http server can be password protected, and has a basic IP-based access control capability. * Sends audit data to a specified IP address/port combination (snare format, or syslog format), or local file (though this isn't supported in the web-gui). Installation: $ tar xzf SnareLinux-1.0.tar.gz $ make # cp /etc/audit.rules /etc/audit.rules-`date "+%Y%m%d"` # cp /etc/auditd.conf /etc/auditd.conf-`date "+%Y%m%d"` # make install # vi /etc/snare.conf .. uncomment: # allow=1 # /etc/init.d/auditd restart (make uninstall will revert). Point a browser at port 6161 of the target machine, and configure/manage appropriately. If you don't want to fire up a syslog server, or snare micro server to receive events, feel free to run something like this for testing: $ socat udp4-listen:6161,reuseaddr,fork OPEN:/tmp/snare.log,creat,append Alternatively, manually add the following into the [Output] section of the config file: file=/tmp/snare.log Developed on RHEL4U2/Centos4U2. Only very basic testing/qa has been performed so far. I'd be very interested to know if it works 'out of the box' on any other distros, or if people have any problems with installation/use. BTW: Assume the code is fully GPL - I haven't plastered the notification through the source yet though. :) Regards, Leigh.
Description: GNU Zip compressed data