[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] auvirt: a new tool for reporting events related to virtual machines

Just another question.

Currently, auvirt has two different modes defined by the options "--summary" and "--raw". In your last email, you suggested that summary would be laid out like the aulast program. Do you think that would be a good idea to have a option to output all the matched records, as in "--raw", but using a layout similar to aulast too?


On 01/05/2012 02:44 PM, Marcelo Cerri wrote:
Hi Steve,

Thanks for you feedback.

I'm already updating the source code based on your comments and looking for another events that may be correlated to a VM.

But I'm not sure what means "anomaly events". Would it be malformed records (without some fields, for example) or a specific record type generated by the kernel or some other userspace application?


On 12/20/2011 04:18 PM, Steve Grubb wrote:
On Thursday, December 15, 2011 10:56:51 AM Marcelo Cerri wrote:
This patch adds a new tool to extract information related to virtual
machines from the audit log files. It can output a summary with
information about the number of events found with details by type of
record and operation. The tool can also output the filtered records as
found in the audit log.

Using the --avc option auvirt tries to correlate AVC records to the guests based on its security context. It's also possible to select records related
to just one guest using the UUID or the guest name.
I'm wondering about this tool. It runs fine. But I thought you were wanting to do some more sophisticated analysis of events. For example this is the current

$ ./auvirt --file ../../../virt-audit.log
Total records:      6
Virt records:       6
Resource records:   4
Machine ID records: 1
AVC records:        0
   Start:            1
   Stop:             0
Considered time:
   Start:            Tue Dec 20 09:33:01 2011
   End:              Tue Dec 20 09:33:01 2011

This is not much different than what can be reported by ausearch/report with the new uuid and vm search fields. Also, testing with the uuid number doesn't seem to
get any hits. But using the vm name does.

I plan to add a very basic virt report to aureport soon. I was wondering if the above is all anyone really wanted to see? I would think that perhaps you want some info about start/stop assignment of resources, changes in resources, and perhaps MAC or anomaly events related to a vm. But laid out like the aulast

boot  vm-name   time  (total runtime)
resource  what-kind  old-value  new-value  time (total time assigned)
avc   access-type  obj  results  time
shutdown  vm-name  time

and there might be other audit events associated with a vm.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]