On Mon, 2007-07-02 at 16:43 -0400, John Dennis wrote: > The audit parsing library (auparse) can reassemble independent > records into a single event (but currently only if the records occur > sequentially, non-sequential record assembly is a future feature).
I'm evaluating a third party product (RSA's enVision) for handling large volumes of audit data from large numbers of hosts. I'm delivering audit records to it from a custom auditd which does little other than wrap the records it receives as syslog and sending it in a UDP packet to the collector. This is for performance reasons as we're generating a lot of audit data. Post-processing with auparse would require either doing this inline, on-node, which I don't think would be feasible because of performance, or running it on the enVision appliance, which definitely isn't feasible as it runs Windows ;) enVision can plug things back together, but again it's limited in what it can do in-line for performance reasons. It would be easiest all-round if we got the information pre-digested. > The ability of the kernel to emit audit records with path information > has been evolving in different kernel versions. I'm sorry but I don't > have detailed version information on some of this. The AUDIT_AVC_PATH > record was added to give complete path information in conjunction with > an AUDIT_AVC record (i.e. these two records are members of a single > audit event). However in RHEL 5.1, kernel 2.6.22 the AUDIT_AVC_PATH > record is going away and the path instead will be in the avc record. > > I'm not 100% positive, but I believe the work done to support > AUDIT_AVC_PATH by capturing path information prior to sys call > transition where only the inode is passed to the kernel will now result > in complete path information in other audit records as well, perhaps > Steve Grubb can give precise information on this. Steve? I'm using RHEL 4.5, btw. Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
signature.asc
Description: This is a digitally signed message part
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
