Auditd 1.0.15 in RHEL4 U4

Auditd 1.0.15 in RHEL4 U4

[Matthew Booth]

I have a requirement to stream audit logs from RHEL 4. The product will
have to be deployed before RHEL 4.5 is likely to be released, so I
expect I will have to import the 4.5 rpm into U4. Will this work without
any other 4.5 updates?

Also, I had a quick flick through the dispatcher example. I note that
it's shipping binary logs. This is great from a storage POV, however it
wasn't clear to me how this would tie in with the existing audit tools.
If I simply dump the binary data to a file, can I easily:

* Turn it into text?
* Process it with aureport/ausearch?

Also, that you're aware of, has anybody already implemented the simplest
possible centralised log server. ie:

* Stream uncompressed, unencrypted, unauthenticated audit logs to server
* Write 1 log file per client audit daemon
* Rotate on signal, respecting message boundaries

I'll be writing this if not.

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

Re: Auditd 1.0.15 in RHEL4 U4

[Steve Grubb]

On Monday 12 February 2007 08:54, Matthew Booth wrote:
> Will this work without any other 4.5 updates?

Yes.

> Also, I had a quick flick through the dispatcher example. I note that
> it's shipping binary logs. 

Hmm. I don't recall any binary logs in examples...are you sure?

> This is great from a storage POV, however it wasn't clear to me how this
> would tie in with the existing audit tools. If I simply dump the binary data
> to a file, can I easily: 
>
> * Turn it into text?
> * Process it with aureport/ausearch?

Need  the answer to the above before I can answer this. But then again...I 
would not release anything that did binary formats without having the whole 
thing tied together. IOW, I would release something that could read as well 
as write a binary format. And I don't recall doing any binary format work.

> Also, that you're aware of, has anybody already implemented the simplest
> possible centralised log server. ie:
>
> * Stream uncompressed, unencrypted, unauthenticated audit logs to server
> * Write 1 log file per client audit daemon
> * Rotate on signal, respecting message boundaries

I believe so. I think the SNARE guys wrote a perl script that uses the 
realtime interface and transfers data to their centralized logger.

> I'll be writing this if not.

Well, in about a week we'll be releasing a new & improved event dispatcher 
that will allow multiple programs to hang off it and then we'll start looking 
into a centralized collection system, too.

-Steve

Re: Auditd 1.0.15 in RHEL4 U4

[Matthew Booth]

On Mon, 2007-02-12 at 21:29 -0500, Steve Grubb wrote:
> > Also, I had a quick flick through the dispatcher example. I note that
> > it's shipping binary logs. 
> 
> Hmm. I don't recall any binary logs in examples...are you sure?

I was going by this document:
http://people.redhat.com/sgrubb/audit/audit-rt-events.txt

Is that not the interface you will be presenting?

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

Re: Auditd 1.0.15 in RHEL4 U4

[Steve Grubb]

On Wednesday 14 February 2007 09:45:10 Matthew Booth wrote:
> On Mon, 2007-02-12 at 21:29 -0500, Steve Grubb wrote:
> > > Also, I had a quick flick through the dispatcher example. I note that
> > > it's shipping binary logs.
> >
> > Hmm. I don't recall any binary logs in examples...are you sure?
>
> I was going by this document:
> http://people.redhat.com/sgrubb/audit/audit-rt-events.txt
>
> Is that not the interface you will be presenting?

That is the interface I am presenting. There are a couple binary elements that 
are part of the header, but the event data itself follows the header and is 
just one big string exactly like as it came from the kernel. That could 
change if the protocol version number changes from 0. But it should remain 
constant across a shipping product's lifetime.

-Steve