FYI
This is an email thread I had with Steve and Matt regarding the format of the
CUPS related audit records. Just sharing in case anyone has input.
Thanks
- Loulwa
-------- Original Message --------
Subject: Re: CUPS audit record
Date: Tue, 29 Aug 2006 18:50:47 -0400
From: Steve Grubb <[EMAIL PROTECTED]>
To: Loulwa Salem <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], "Kristin E. Wilson" <[EMAIL PROTECTED]>
> Hi Steve and Matt,
> I was working on parsing the new CUPS related audit records for some of our
> test cases when I encountered this record:
>
> type=USER_LABELED_EXPORT msg=audit(1156884574.798:830): user pid=14900 uid=0
> auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c255 msg='job=221 auid=0 acct=root
> printer=LTC title=Audit_ok.ps
> obj=root:staff_r:staff_lpr_t:SystemLow-SystemHigh label=SystemLow-SystemHigh:
> exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=2.0.0.0,
> terminal=? res=success)' On Tuesday 29 August 2006 18:27, Loulwa Salem wrote:
>
I wanted to let you know that the "auid" field is shown twice, is it going
to remain this way?
The one inside the msg should go away. Userspace apps cannot be trusted to set
that correctly.
The other thing .. I am looking at parsing the following types:
USER_LABELED_EXPORT
LABEL_LEVEL_CHANGE
LABEL_OVERRIDE
I see multiple variations of the LABEL_LEVEL_CHANGE (as below), is there a
way to make the format slightly more standardized so parsing won't be
complicated? Or maybe have two different types if the records look that
much different. Steve are you parsing those types in your auparse tool?
If they have the same message type, they should be identical in format. That
is the rule for the audit system. I have not looked at the audit messages in
cups. Maybe I should do that in a day or two.
type=LABEL_LEVEL_CHANGE msg=audit(1156884529.511:827): user pid=14900 uid=0
auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c255 msg='[Config] Security
level=mls: exe="/usr/sbin/cupsd" (hostname=localhost.localdomain,
addr=2.0.0.0, terminal=? res=success)'
Shouldn't there be a: was, is kinda thing? I think it should answer the basic
question of: who changed it, from where, what changed, what was it, what is
the new value, and was it successful.
type=LABEL_LEVEL_CHANGE msg=audit(1156884529.515:828): user pid=14900 uid=0
auid=0 subj=root:staff_r:staff_t:s0-s15:c0.c255 msg='[Config] printer=LTC
uri=usb:/dev/usb/lp0 banners set to classified none has range SystemHigh:
exe="/usr/sbin/cupsd" (hostname=localhost.localdomain, addr=2.0.0.0,
terminal=? res=success)'
This looks wrong. Anything that is meaningful should be in name=value format
so that parsers can find it.
Not knowing the context exactly, but something like this, perhaps:
banners=classified none range=SystemHigh
I don't know what the none goes to.
-Steve
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
