Just another question.
Currently, auvirt has two different modes defined by the options
"--summary" and "--raw". In your last email, you suggested that summary
would be laid out like the aulast program. Do you think that would be a
good idea to have a option to output all the matched records, as in
"--raw", but using a layout similar to aulast too?
Regards,
Marcelo
On 01/05/2012 02:44 PM, Marcelo Cerri wrote:
Hi Steve,
Thanks for you feedback.
I'm already updating the source code based on your comments and
looking for another events that may be correlated to a VM.
But I'm not sure what means "anomaly events". Would it be malformed
records (without some fields, for example) or a specific record type
generated by the kernel or some other userspace application?
Regards,
Marcelo
On 12/20/2011 04:18 PM, Steve Grubb wrote:
On Thursday, December 15, 2011 10:56:51 AM Marcelo Cerri wrote:
This patch adds a new tool to extract information related to virtual
machines from the audit log files. It can output a summary with
information about the number of events found with details by type of
record and operation. The tool can also output the filtered records as
found in the audit log.
Using the --avc option auvirt tries to correlate AVC records to the
guests
based on its security context. It's also possible to select records
related
to just one guest using the UUID or the guest name.
I'm wondering about this tool. It runs fine. But I thought you were
wanting to do
some more sophisticated analysis of events. For example this is the
current
output:
$ ./auvirt --file ../../../virt-audit.log
Total records: 6
Virt records: 6
Resource records: 4
Machine ID records: 1
AVC records: 0
Operations:
Start: 1
Stop: 0
Considered time:
Start: Tue Dec 20 09:33:01 2011
End: Tue Dec 20 09:33:01 2011
This is not much different than what can be reported by
ausearch/report with the
new uuid and vm search fields. Also, testing with the uuid number
doesn't seem to
get any hits. But using the vm name does.
I plan to add a very basic virt report to aureport soon. I was
wondering if the
above is all anyone really wanted to see? I would think that perhaps
you want
some info about start/stop assignment of resources, changes in
resources, and
perhaps MAC or anomaly events related to a vm. But laid out like the
aulast
program.
boot vm-name time (total runtime)
resource what-kind old-value new-value time (total time assigned)
avc access-type obj results time
shutdown vm-name time
and there might be other audit events associated with a vm.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
