Hello, On Friday, January 13, 2012 12:25:05 PM Marcelo Cerri wrote: > These are some output examples of auvirt. What do you think?
I think you are on the right track. > I just added a "--full" option because libvirt can generate several > resource events and this can make the output confusing. Hmm. Why not call it --resource if its a resource specific report? Full to me implies everything for all guests. > $ ./auvirt > start guest-name-1 root Tue Jan 10 11:05 > stop guest-name-1 root Tue Jan 10 11:39 > start guest-name-2 root Wed Jan 11 15:23 > start guest-name-2 root Wed Jan 11 16:28 > start guest-name-1 root Wed Jan 12 19:47 Why not collapse these into 1 line like last that shows a duration? start guest-name-1 root Tue Jan 10 11:05 - 11:39 (00:34) Do you have any samples for when a guest is paused and restarted? I would also collapse those into a line showing the duration of the pause. pause guest-name-1 root Tue Jan 10 11:15 - 11:30 (00:15) > $ ./auvirt --show-uuid > start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan > 10 11:05 > stop guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan > 10 11:39 > start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan > 11 15:23 > start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan > 11 16:28 > start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Wed Jan > 12 19:47 > > $ ./auvirt --summary # keep the same behaviour > > $ ./auvirt --uuid fb4149f5-9ff6-4095-f6d3-a1d03936fdfa > start guest-name-1 root Tue Jan 10 11:05 > stop guest-name-1 root Tue Jan 10 11:39 > start guest-name-1 root Wed Jan 12 19:47 > > $ ./auvirt --vm-name guest-name-2 > start guest-name-2 root Wed Jan 11 15:23 > start guest-name-2 root Wed Jan 11 16:28 Maybe it will be easier on admin's fingers to just call the above option --vm? I like shorter names if they make sense and are unambiguous. > $ ./auvirt --full --uuid f937029b-93ca-4e13-b40b-663f46323503 > res guest-name-2 root Wed Jan 11 15:23 disk "?" > "/images/guest-2.img" > res guest-name-2 root Wed Jan 11 15:23 vcpu "0" "4" > res guest-name-2 root Wed Jan 11 15:23 net "?" > "52:54:00:DB:AE:B4" > res guest-name-2 root Wed Jan 11 15:23 mem "?" "1048576" > start guest-name-2 root Wed Jan 11 15:23 > avc guest-name-2 root Wed Jan 11 19:49 read > "/images/guest-2.img" denied > res guest-name-2 root Wed Jan 11 15:23 mem "1048576" > "2097152" > stop guest-name-2 root Wed Jan 11 16:28 I would separate avcs and anomalies into a security report. Then for the resource section, I would rearrange the fields so the time is at the end and then show the duration so you collapse 2 lines (assignment and disposal) into 1 line. For things that are disposed of at shutdown, you can just put "down" like last does when users are logged out by the system shutdown. Overall, I think this is heading in the right direction. Thanks, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
