[RFC] New ausearch output option & audit viewing in Spacewalk

[Steve Grubb]

On Monday 08 June 2009 12:46:37 pm Joshua Roys wrote:
> As part of developing an audit viewing "plugin"[1] to Spacewalk[2], I
> wrote a small program to use libauparse to output (easily)
> machine-parsable audit logs.  I think this functionality would be nice
> to have in ausearch, and as such, wrote a patch for it.

Very interesting work. When you apply this patch and select its output format, 
what does the output look like?


> As well as reviewing this patch, I would like your feedback concerning
> the Spacewalk audit plugin.  Any questions or constructive criticism is
> welcome.

I think this is a very interesting project. But, I have to admit that I don't 
use ausearch as the normal presentation program when I'm researching some 
audit events. For example, a typical investigation may go something like 
this:

1) you run aureport to see what is going on. hmm...no avcs...but lots of 
files, therefore you are getting hits on rules. wonder which ones?
2) you run the key report to see what the nature of hits is like. The access 
key seems to be getting a lot of hits, wonder which files it might be?
3) you run ausearch selecting the access key and pipe that into the file 
summary report. You notice one file is getting lots of hits. Wonder who is 
doing it?
4) you run ausearch selecting the access key and the file name and pipe that 
into the user summary report.
5) you notice its one acct and you wonder what all failures that person has 
had this session so you re-run the last ausearch command with --just-one so 
you can find the ses=value. Then you run ausearch --session value --success no 
and send that to aureport to get an overview of the session.
...

So, I'd recommend adding aureport's main summary and the aureport key summary 
reports to the output so that you can see if there is any reason to do a 
deeper investigation.

Interesting work!

-Steve