On Friday, January 13, 2012 02:45:14 PM Marcelo Cerri wrote: > I'm also suppressing the AVC records. Maybe "--all-events" or
I like this one better ^^^^ -Steve > "--show-all-events". What do you think? > > On 01/13/2012 05:23 PM, Steve Grubb wrote: > > Hello, > > > > On Friday, January 13, 2012 12:25:05 PM Marcelo Cerri wrote: > >> These are some output examples of auvirt. What do you think? > > > > I think you are on the right track. > > > >> I just added a "--full" option because libvirt can generate several > >> resource events and this can make the output confusing. > > > > Hmm. Why not call it --resource if its a resource specific report? Full > > to me implies everything for all guests. > > > >> $ ./auvirt > >> start guest-name-1 root Tue Jan 10 11:05 > >> stop guest-name-1 root Tue Jan 10 11:39 > >> start guest-name-2 root Wed Jan 11 15:23 > >> start guest-name-2 root Wed Jan 11 16:28 > >> start guest-name-1 root Wed Jan 12 19:47 > > > > Why not collapse these into 1 line like last that shows a duration? > > > > start guest-name-1 root Tue Jan 10 11:05 - 11:39 (00:34) > > > > Do you have any samples for when a guest is paused and restarted? I would > > also collapse those into a line showing the duration of the pause. > > > > pause guest-name-1 root Tue Jan 10 11:15 - 11:30 (00:15) > > > >> $ ./auvirt --show-uuid > >> start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan > >> 10 11:05 > >> stop guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Tue Jan > >> 10 11:39 > >> start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan > >> 11 15:23 > >> start guest-name-2 f937029b-93ca-4e13-b40b-663f46323503 root Wed Jan > >> 11 16:28 > >> start guest-name-1 fb4149f5-9ff6-4095-f6d3-a1d03936fdfa root Wed Jan > >> 12 19:47 > >> > >> $ ./auvirt --summary # keep the same behaviour > >> > >> $ ./auvirt --uuid fb4149f5-9ff6-4095-f6d3-a1d03936fdfa > >> start guest-name-1 root Tue Jan 10 11:05 > >> stop guest-name-1 root Tue Jan 10 11:39 > >> start guest-name-1 root Wed Jan 12 19:47 > >> > >> $ ./auvirt --vm-name guest-name-2 > >> start guest-name-2 root Wed Jan 11 15:23 > >> start guest-name-2 root Wed Jan 11 16:28 > > > > Maybe it will be easier on admin's fingers to just call the above option > > --vm? I like shorter names if they make sense and are unambiguous. > > > >> $ ./auvirt --full --uuid f937029b-93ca-4e13-b40b-663f46323503 > >> res guest-name-2 root Wed Jan 11 15:23 disk "?" > >> "/images/guest-2.img" > >> res guest-name-2 root Wed Jan 11 15:23 vcpu "0" "4" > >> res guest-name-2 root Wed Jan 11 15:23 net "?" > >> "52:54:00:DB:AE:B4" > >> res guest-name-2 root Wed Jan 11 15:23 mem "?" > >> "1048576" start guest-name-2 root Wed Jan 11 15:23 > >> avc guest-name-2 root Wed Jan 11 19:49 read > >> "/images/guest-2.img" denied > >> res guest-name-2 root Wed Jan 11 15:23 mem "1048576" > >> "2097152" > >> stop guest-name-2 root Wed Jan 11 16:28 > > > > I would separate avcs and anomalies into a security report. Then for the > > resource section, I would rearrange the fields so the time is at the end > > and then show the duration so you collapse 2 lines (assignment and > > disposal) into 1 line. > > > > For things that are disposed of at shutdown, you can just put "down" like > > last does when users are logged out by the system shutdown. > > > > Overall, I think this is heading in the right direction. > > > > Thanks, > > > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
