[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Absolute path names in PATH records



On Mon, 2007-07-02 at 16:43 -0400, John Dennis wrote:
> The audit parsing library (auparse) can reassemble independent
> records into a single event (but currently only if the records occur
> sequentially, non-sequential record assembly is a future feature).

I'm evaluating a third party product (RSA's enVision) for handling large
volumes of audit data from large numbers of hosts. I'm delivering audit
records to it from a custom auditd which does little other than wrap the
records it receives as syslog and sending it in a UDP packet to the
collector. This is for performance reasons as we're generating a lot of
audit data. Post-processing with auparse would require either doing this
inline, on-node, which I don't think would be feasible because of
performance, or running it on the enVision appliance, which definitely
isn't feasible as it runs Windows ;) enVision can plug things back
together, but again it's limited in what it can do in-line for
performance reasons. It would be easiest all-round if we got the
information pre-digested.

> The ability of the kernel to emit audit records with path information
> has been evolving in different kernel versions. I'm sorry but I don't
> have detailed version information on some of this. The AUDIT_AVC_PATH
> record was added to give complete path information in conjunction with
> an AUDIT_AVC record (i.e. these two records are members of a single
> audit event). However in RHEL 5.1, kernel 2.6.22 the AUDIT_AVC_PATH
> record is going away and the path instead will be in the avc record.
> 
> I'm not 100% positive, but I believe the work done to support
> AUDIT_AVC_PATH by capturing path information prior to sys call
> transition where only the inode is passed to the kernel will now result
> in complete path information in other audit records as well, perhaps
> Steve Grubb can give precise information on this.

Steve? I'm using RHEL 4.5, btw.

Thanks,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]