Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-957

[RFE] auditctl needs a machine process-able manner for detecting errors

XMLWordPrintable

    • Minor
    • sst_security_special_projects
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      This bug was initially created as a copy of Bug #1812604

      I am copying this bug because:

      It represents 2 entirely different requests. This will focus on the json output.

      1. Proposed title of this feature request

      Machine process-able output from auditctl

      3. What is the nature and description of the request?

      I would like to be able to run something like 'auditctl --check <filename>' and have it return some sort of structured output that is easy to process via a script. The customer has provided a suggestion using JSON.

      4. Why does the customer need this? (List the business requirements here)

      Customer reports they need to fully load a ruleset into a running state to get the check done which is not ideal if we need to test changes on a live system.

      They would also like a programmatic way of parsing the output with scripting.

      5. How would the customer like to achieve this? (List the functional requirements here)

      Customer provided examples:

      $ cat test.rules
      -c
      -D
      -f 1
      -r 200
      -b 30000
      -w /var/log
      -w /tmp/*
      -w /etc/foo/bar
      -a never,exit -F arch=b64 -F uid=bob
      -s

      1. cat test.json
        {
        "metadata": { "rules_loaded": "enabled": 1, "failure": 1, "rate_limit": 200, "backlog_limit": 30000, "backlog_wait_time": 60000, "loginuid_immutable": 0 }

        ,
        "warnings": [

        { "message": [ "Warning - wildcard notation is not supported" ], "line": "<Would love to know>", "content": "<Cannot figure out without the line>" }

        ],
        "errors": [

        { "message": [ "Error sending add rule data request (No such file or directory)" ], "line": 8, "content": "-w /etc/foo/bar" }

        ,

        { "message": [ "-F unknown field: uid", "Unknown user: bob" ], "line": 9, "content": "-a never,exit -F arch=b64 -F uid=bob" }

        ]
        }

      6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

      Based on the formatting of the output, the customer can develop scripts to parse it and test rule sets.

      8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?

      RHEL 8

      11. Would the customer be able to assist in testing this functionality if implemented?

      Yes.

            rh-ee-alakatos Attila Lakatos
            audit_steve Steve Grubb
            Sergio Correia Sergio Correia
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: