On Fri, 2012-08-10 at 19:51 +1000, Burn Alting wrote: > Steve, > > I will go ahead with my audispd child program that enriches logs and > use rsyslog to get them to a central repository. > I also plan to concatenate all messages belonging to the same event > (ie time:event_id) and send this as one syslog message to the central > repository. > I'd rather do this on the client systems rather than at my central > repository, in order to gain benefits from effectively, distributed > processing. >
This sounds very useful, Burn. In an EXECVE message there is something like: args=2 a0="ls" a1="/etc" It would be nice if this could be changed to something like command="ls /etc". One problem is that the shell script interprets wild cards before auditd sees the command, and that can lead to long strings. So maybe that situation could become something like: something="ls /etc/aaa /etc/bbb /etc/ccc ..." In most cases a human reader would recognise what is happening. Also, sometimes the parameters are in hex instead of strings. For example, when the parameter contains quotes. Michael ------- -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
