On 08/02/2012 06:54 AM, Burn Alting wrote:
Hi,I have a scenario of a mixed collection of Linux systems, some that have users authenticate via a central ldap, others have local (/etc/passwd) authentication. This means I cannot 100% depend that the user name say, fred, with uid 1000, has the same uid on every machine he has an account on. Thus before I send my logs to a central server, I want to enrich them with user and group names I validate at the local machine. That is, I want to change an event's ids from .... uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=43 sgid=43 fsgid=43 .... to .... uid=1000(fred) gid=1000(prog) euid=1000(fred) suid=1000(fred) fsuid=1000(fred) egid=43(utmp) sgid=43(utmp) fsgid=43(utmp) .... I BELIEVE my best approach is use the event multiplexor (audispd) to convert raw logs via a child program, say based on the sample code, audisp-example (i.e. using the auparse library) and send the output of this audisp-example variant to syslog to get the event to a central repository. Is this the best approach? Are there parameters I should consider for audisp.conf (e.g. q_depth = 99999)? Does such a configuration option in audisp.conf suggest I make the buffer size set in audit.rules to something higher? Is there any consideration to having auditd have a option to directly generate user and group names in addition to uid and gids?
A while ago we were actively working on central log aggregation and ran into exactly this problem. There are a number of items in an audit log whose value can only be interpreted on the machine the event occurred on and at the moment the event occurs (or within a short duration).
There were plans to author a audit plugin that would augment the data items with their (interpreted) value. I'm not sure whatever happened to that plugin. Steve, can you elaborate?
-- John Dennis <[email protected]> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
