|

»

praudit parse with gnu grep

View: New views

9 Messages — Rating Filter: Alert me

	praudit parse with gnu grep by Vladimir Ermakov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, all. # praudit /etc/auditpipe \| grep "bla bla bla" & # praudit /etc/auditpipe \| tee file.log this is not work please help me /Vladimir Ermakov _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	Re: praudit parse with gnu grep by Vladimir Ermakov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Robert Watson wrote: > > On Tue, 21 Aug 2007, sam wrote: > >>>>>> # praudit /etc/auditpipe \| grep "bla bla bla" & # praudit >>>>>> /etc/auditpipe \| tee file.log >>>>>> >>>>>> this is not work please help me >>>>> >>>>> This thread is also on freebsd-hackers, but just to follow up here >>>>> as well for the purposes of the archives: >>>>> >>>>> - It's /dev/auditpipe not /etc/auditpipe >>>>> - If you're using grep, try --line-buffered >>>>> >>>> --line-buffered is not helped to me >>> >>> When you run praudit on /dev/auditpipe directly, do you get the >>> records you expect? >> >> yes > > So what are you getting or not getting that is unexpected when you run > with grep? Have you tried forcing lots of records of the type you > would be matching to be created to make sure the buffers are flushing > from praudit/grep/etc? The input/output buffers in stdio mean that > you may not see output immediately, the buffer has to fill enough to > trigger an I/O before that will happen. > > We could add an fflush call to praudit's output, which would flush the > I/O out the file descriptor, but that wouldn't necessarily solve > grep's buffering. The attached patch might do this. > > Robert N M Watson > Computer Laboratory > University of Cambridge > > Index: praudit.c > =================================================================== > RCS file: /data/fbsd-cvs/ncvs/src/contrib/openbsm/bin/praudit/praudit.c,v > retrieving revision 1.1.1.3 > diff -u -r1.1.1.3 praudit.c > --- praudit.c 16 Apr 2007 15:36:57 -0000 1.1.1.3 > +++ praudit.c 21 Aug 2007 14:26:43 -0000 > @@ -107,6 +107,7 @@ > free(buf); > if (oneline) > printf("\n"); > + fflush(stdout); > } > return (0); > } > my big thanks this patch is working /Vladimir Ermakov _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	Re: praudit parse with gnu grep by Robert Watson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Wed, 22 Aug 2007, sam wrote: >> Index: praudit.c >> =================================================================== >> RCS file: /data/fbsd-cvs/ncvs/src/contrib/openbsm/bin/praudit/praudit.c,v >> retrieving revision 1.1.1.3 >> diff -u -r1.1.1.3 praudit.c >> --- praudit.c 16 Apr 2007 15:36:57 -0000 1.1.1.3 >> +++ praudit.c 21 Aug 2007 14:26:43 -0000 >> @@ -107,6 +107,7 @@ >> free(buf); >> if (oneline) >> printf("\n"); >> + fflush(stdout); >> } >> return (0); >> } > > my big thanks this patch is working Vladimir, I've merged this change into OpenBSM, and it will appear in the next release. Thanks, Robert N M Watson Computer Laboratory University of Cambridge _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	Re: praudit parse with gnu grep by Vladimir Ermakov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message >>> RCS file: >>> /data/fbsd-cvs/ncvs/src/contrib/openbsm/bin/praudit/praudit.c,v >>> retrieving revision 1.1.1.3 >>> diff -u -r1.1.1.3 praudit.c >>> --- praudit.c 16 Apr 2007 15:36:57 -0000 1.1.1.3 >>> +++ praudit.c 21 Aug 2007 14:26:43 -0000 >>> @@ -107,6 +107,7 @@ >>> free(buf); >>> if (oneline) >>> printf("\n"); >>> + fflush(stdout); >>> } >>> return (0); >>> } >> >> my big thanks this patch is working > > Vladimir, > > I've merged this change into OpenBSM, and it will appear in the next > release. > > Thanks, > > Robert N M Watson > Computer Laboratory > University of Cambridge > Hello please add switcher comand_args parameter for enable/disable pipe-buffer /Vladimir Ermakov _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	audit (OpenBSM) & cat by Vladimir Ermakov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message hi all description of trouble situation on system FreeBSD 6.3-RELEASE i386: open 2 putty console on remote server console1: # cat /dev/auditpipe \| praudit -l console2: # cat >> /var/log/audit_cat.data console1 (output message): # cat /dev/auditpipe \| praudit -l header,168,10,open(2) - write,creat,0,Fri Feb 8 12:59:34 2008, + 309 msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168, after 30 seconds console2 (cat waiting user input & user typing message & pusshing 'Ctrl+d' for deattach ): # cat >> /var/log/audit_cat.data abracadabra_message # console1 (don`t output message on user action 'adding string "abracadabra_message" & deattach'): # cat /dev/auditpipe \| praudit -l header,168,10,open(2) - write,creat,0,Fri Feb 8 12:59:34 2008, + 309 msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168, /dev/auditpipe output data on moment create file descriptor, but don`t output message after adding string in file and close file any solution? /Vladimir Ermakov _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	Re: audit (OpenBSM) & cat by Vladimir Ermakov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message sam wrote: > > description of trouble situation on system FreeBSD 6.3-RELEASE i386 > > my /etc/security/audit_control dir:/var/audit flags:^all minfree:20 naflags:^all policy:cnt filesz:0 /Vladimir Ermakov _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	OpenBSM & Jails by Vladimir Ermakov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message hello i am using OpenBSM on System with jails part of praudit output / action write file in jail -------------------------------------------------- header,176,10,open(2) - write,creat,trunc,0,Thu Feb 21 13:45:06 2008, + 501 msec,argument,3,0x81ed,mode,argument,2,0x601,flags,path,//site/svn/dev.lineage2.dom/pamm/hooks/post-commit,attribute,755,www,www,88,800911,3234053,subject,lynx,root,wheel,root,wheel,44680,44668,56876,10.15.1.116,return,success,4,trailer,176, -------------------------------------------------- please add jail-identification in output (cat /dev/auditpipe \| praudit -lp) /Vladimir Ermakov _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	Re: OpenBSM & Jails by Robert Watson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 21 Feb 2008, sam wrote: > i am using OpenBSM on System with jails > > part of praudit output / action write file in jail > > -------------------------------------------------- > header,176,10,open(2) - write,creat,trunc,0,Thu Feb 21 13:45:06 2008, + 501 > msec,argument,3,0x81ed,mode,argument,2,0x601,flags,path,//site/svn/dev.lineage2.dom/pamm/hooks/post-commit,attribute,755,www,www,88,800911,3234053,subject,lynx,root,wheel,root,wheel,44680,44668,56876,10.15.1.116,return,success,4,trailer,176, > -------------------------------------------------- > > please add jail-identification in output (cat /dev/auditpipe \| praudit -lp) Vladimir, I believe Christian has plans to use the Solaris "zone" BSM token to this end, as well as plans to enhance our support for hostid header fields so that when audit trails are aggregated from many sources, they can be processed with awareness of which source they came from. I've added him to the CC line, and he may be able to expand on this. Robert N M Watson Computer Laboratory University of Cambridge _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."
	Re: audit (OpenBSM) & cat by Robert Watson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, 8 Feb 2008, sam wrote: > description of trouble situation on system FreeBSD 6.3-RELEASE i386: > > open 2 putty console on remote server > > console1: # cat /dev/auditpipe \| praudit -l > > console2: # cat >> /var/log/audit_cat.data > > console1 (output message): # cat /dev/auditpipe \| praudit -l > header,168,10,open(2) - write,creat,0,Fri Feb 8 12:59:34 2008, + 309 > msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168, > > after 30 seconds > > console2 (cat waiting user input & user typing message & pusshing 'Ctrl+d' > for deattach ): # cat >> /var/log/audit_cat.data abracadabra_message # > > console1 (don`t output message on user action 'adding string > "abracadabra_message" & deattach'): # cat /dev/auditpipe \| praudit -l > header,168,10,open(2) - write,creat,0,Fri Feb 8 12:59:34 2008, + 309 > msec,argument,3,0x1b6,mode,argument,2,0x209,flags,path,/var/log/audit_cat.data,attribute,644,root,admin,72,2732063,10952279,subject,venom,root,wheel,root,wheel,44255,41955,1647,192.168.1.26,return,success,4,trailer,168, > > > /dev/auditpipe output data on moment create file descriptor, but don`t > output message after adding string in file and close file > > any solution? Vladimir, I appear to have missed this e-mail when it came through about a month ago, sorry about that. By default /dev/auditpipe reports whatever is configured to go to the system audit trail for the user. So the real question, I think, is whether what's in /etc/security/{audit_control,audit_user} matches what you're seeing. Be aware that, in our default audit_events file, we don't make AUE_READ/AUE_READV/etc to any event class, so if you want to capture the actual I/O operations, you'll need to add it to a class and make sure that class is set for the users of interest. AUE_CLOSE, on the other hand, is mapped to the "cl" class by default, so if you've enabled auditing of "cl", you should see close events. WARNING: If you add auditing of individual read/write/send/receive I/O operations, you make it very, very easy to get audit event cycles. Make sure that any process that will be monitoring the audit event stream (for example, praudit /dev/auditpipe) is not seeing auditing of its reads and writes, or you may see a feedback effects. This is similar to running tcpdump from an ssh session -- each packet sent leads to yet more packets being sent, etc. We do support auditing those events, but the protection profiles of interest require auditing intent to read or write (open flags) rather than the actual operations in most cases. Robert N M Watson Computer Laboratory University of Cambridge _______________________________________________ freebsd-audit@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-audit To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."