[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: creating and inserting audits



On Tue, 2010-09-07 at 16:38 -0400, Nestler, Roger - IS wrote:
>  

> Does this capability exist already in linux audit and I’m just not
> seeing it???
> 

man audit_log_user_message
 
> 
> Is it a bad idea to build and then to insert a custom audit/message,
> or any standard audit, into the audit.log file?

Nope.

> If so are there any problems to look out for , e.g event id/sequence
> number collisions, auparse or ausearch problems, formatting issues to
> adhere to???
> 

The text in the audit_log_user_message is not really freeform-safe, and
it is practically limited to somewhere around 900+ bytes (from a kernel
setting, unless it has been updated since).

The parser will throw away some of your records if the text matches what
it is looking for elsewhere. Maybe Steve can point out the specs. For
example, I had this one:

> > # ausearch -ts this-week -a 22476
> > <no matches>
> >
> > in the raw log:
> > node=slim type=USER msg=audit(1244730722.536:22476): user pid=16700
> > uid=0 auid=500 ses=1 subj=user_u:user_r:user_t:s0 msg='node=jim
> > type=PATH msg=audit(06/08/2009 13:33:50.101:19267) : item=4
> > name=/var/lib/ntp/drift inode=115581 dev=fd:00 mode=file,644
ouid=ntp
> > ogid=ntp rdev=00:00 obj=system_u:object_r:ntp_drift_t:s0 :
> > exe="/usr/local/sbin/auditctl" (hostname=?, addr=?, terminal=pts/13
> > res=success)'
> >
> > Any clues?
> 
> When ausearch finds a malformed record, it discards it as a safety
measure.
> 
> -Steve

LCB.

-- 
LC (Lenny) Bruzenak
lenny magitekltd com



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]