On 15/12/08, Steve Grubb wrote: > Hello, > > I would like to point out 2 new standards that have been posted to the linux > audit web page. The first establishes the events around system start up and > shutdown. This is important because it sets the session boundaries for when a > system is up or down or crashed. > > http://people.redhat.com/sgrubb/audit/system-lifecycle.txt
A couple of very minor corrections to this first one: --- system-lifecycle.txt.orig 2015-12-08 15:36:34.441782830 -0500 +++ system-lifecycle.txt 2015-12-08 15:38:10.763998066 -0500 @@ -62,7 +62,7 @@ /* boot */ audit_log_user_message (fd, AUDIT_SYSTEM_BOOT, "init", NULL, NULL, NULL, 1); -/* run leve change */ +/* run level change */ snprintf (buf, sizeof (buf), "old-level=%c new-level=%c", old, level); audit_log_user_message (fd, AUDIT_SYSTEM_RUNLEVEL, buf, NULL, NULL, NULL, 1); @@ -77,7 +77,7 @@ audit_log_user_message (fd, AUDIT_SERVICE_START, buf, NULL, NULL, NULL, 1); free(buf); -Service stop events should be the same os start with the exception of using +Service stop events should be the same as start with the exception of using AUDIT_SERVICE_STOP as the event type. If only the pid is available, record that as "spid". There must be a way to compare start and stop records to see that they balance. (There are as many starts as stops.) > The second standard is more of a forward looking standard. It explains how > the > audit daemon and utilities will perform event enrichment before being stored > long term in an aggregator. The target for implementation is the 2.5 release > of the audit daemon. > > http://people.redhat.com/sgrubb/audit/event-enrichment How do you mean for IP address to be "resolved"? Is this simply a matter of recording it? Or would this be a reverse lookup on the local machine to get the opinion of what it should be from the DNS perspective of the local machine, assuming different machines in the logging domain could potentially have different views of DNS? > Let me know if anyone has feedback on these standards, especially the second > one. > > -Steve - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
