[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] auvirt: a new tool for reporting events related to virtual machines



Hi,

These are some output examples of auvirt. What do you think?

I just added a "--full" option because libvirt can generate several resource events and this can make the output confusing.

Regards,
Marcelo

------

$ ./auvirt
start guest-name-1    root    Tue Jan 10 11:05
stop  guest-name-1    root    Tue Jan 10 11:39
start guest-name-2    root    Wed Jan 11 15:23
start guest-name-2    root    Wed Jan 11 16:28
start guest-name-1    root    Wed Jan 12 19:47

$ ./auvirt --show-uuid
start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan 10 11:05 stop guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan 10 11:39 start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan 11 15:23 start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan 11 16:28 start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Wed Jan 12 19:47

$ ./auvirt --summary # keep the same behaviour

$ ./auvirt --uuid fb4149f5-9ff6-4095-f6d3-a1d03936fdfa
start guest-name-1    root    Tue Jan 10 11:05
stop  guest-name-1    root    Tue Jan 10 11:39
start guest-name-1    root    Wed Jan 12 19:47

$ ./auvirt --vm-name guest-name-2
start guest-name-2    root    Wed Jan 11 15:23
start guest-name-2    root    Wed Jan 11 16:28

$ ./auvirt --full --uuid f937029b-93ca-4e13-b40b-663f46323503
res guest-name-2 root Wed Jan 11 15:23 disk "?" "/images/guest-2.img"
res   guest-name-2    root    Wed Jan 11 15:23    vcpu    "0"    "4"
res guest-name-2 root Wed Jan 11 15:23 net "?" "52:54:00:DB:AE:B4"
res   guest-name-2    root    Wed Jan 11 15:23    mem     "?"    "1048576"
start guest-name-2    root    Wed Jan 11 15:23
avc guest-name-2 root Wed Jan 11 19:49 read "/images/guest-2.img" denied res guest-name-2 root Wed Jan 11 15:23 mem "1048576" "2097152"
stop  guest-name-2    root    Wed Jan 11 16:28

$ ./auvirt --full # same as above but showing events related to all guests


On 01/11/2012 07:48 PM, Steve Grubb wrote:
On Monday, January 09, 2012 12:00:32 PM Marcelo Cerri wrote:
Just another question.

Currently, auvirt has two different modes defined by the options
"--summary" and "--raw". In your last email, you suggested that summary
would be laid out like the aulast program.

Yeah, I was thinking of something like a timeline so that you can what happened
to resources and in what order. It just so happens aulast is also a time line of
system boots and logins. When it comes to a virt guest, I would want to see it
boot, things assigned, things removed, anything funny happening to it, and then
it shutting down. I also think the host being booted/shutdown might ought to be
in there, too.


Do you think that would be a good idea to have a option to output all the
matched records, as in "--raw", but using a layout similar to aulast too?

I think you want both a concise report and the ability to pull the just records
that made up the report. Aulast does this by having a proof mode that instead of
giving you the records, it tells you how to pull them with ausearch.

-Steve


On 01/05/2012 02:44 PM, Marcelo Cerri wrote:
Hi Steve,

Thanks for you feedback.

I'm already updating the source code based on your comments and
looking for another events that may be correlated to a VM.

But I'm not sure what means "anomaly events". Would it be malformed
records (without some fields, for example) or a specific record type
generated by the kernel or some other userspace application?

Regards,
Marcelo

On 12/20/2011 04:18 PM, Steve Grubb wrote:
On Thursday, December 15, 2011 10:56:51 AM Marcelo Cerri wrote:
This patch adds a new tool to extract information related to virtual
machines from the audit log files. It can output a summary with
information about the number of events found with details by type of
record and operation. The tool can also output the filtered records as
found in the audit log.

Using the --avc option auvirt tries to correlate AVC records to the
guests
based on its security context. It's also possible to select records
related
to just one guest using the UUID or the guest name.

I'm wondering about this tool. It runs fine. But I thought you were
wanting to do
some more sophisticated analysis of events. For example this is the
current
output:

$ ./auvirt --file ../../../virt-audit.log
Total records:      6
Virt records:       6
Resource records:   4
Machine ID records: 1
AVC records:        0

Operations:
    Start:            1
    Stop:             0

Considered time:
    Start:            Tue Dec 20 09:33:01 2011
    End:              Tue Dec 20 09:33:01 2011

This is not much different than what can be reported by
ausearch/report with the
new uuid and vm search fields. Also, testing with the uuid number
doesn't seem to
get any hits. But using the vm name does.

I plan to add a very basic virt report to aureport soon. I was
wondering if the
above is all anyone really wanted to see? I would think that perhaps
you want
some info about start/stop assignment of resources, changes in
resources, and
perhaps MAC or anomaly events related to a vm. But laid out like the
aulast
program.

boot  vm-name   time  (total runtime)
resource  what-kind  old-value  new-value  time (total time assigned)
avc   access-type  obj  results  time
shutdown  vm-name  time

and there might be other audit events associated with a vm.

-Steve



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]