Hi,
I have a fedora33 system and would like to get more involved with auditd. I understand the basics, but are there any tools to process the audit.log file, to make it easier to process, read and display?
How about acting on specific events? What if I wanted to be alerted somehow when sudo was run more than five times in some period? Perhaps logwatch?
I've seen references to using it with splunk but are there open source alternatives?
I'm also aware of aureport, which appears to be great for producing summary reports, and maybe an event report, but what do people do with this information to make it useful?
How do admins normally act on the information in the logs? Are they just using it to investigate a specific event, such as when privileges are escalated for some reason or ssh is being used?
It's otherwise just too much information - who cares that ssh is being used or sudo was run, unless you thought that functionality was disabled, for example.
Thanks, Alex
could sudo dnf install setroubleshoot-server setroubleshoot
and/or https://docs.fedoraproject.org//en-US/Fedora/25/html/SELinux_Users_and_Admin... - actuality ??? -
help ?
On 1/28/21 3:53 PM, sixpack13 wrote:
could sudo dnf install setroubleshoot-server setroubleshoot
and/or https://docs.fedoraproject.org//en-US/Fedora/25/html/SELinux_Users_and_Admin...
- actuality ??? -
help ?
You completely removed any context and your message is unclear...
selinux and auditd are separate, so I have no idea what you're trying to say here.
On Thu, 2021-01-28 at 16:49 -0800, Samuel Sieb wrote:
You completely removed any context and your message is unclear...
Q: How many surrealists does it take to change a light bulb?
A: Two, one to hold the giraffe, and the other to fill the bathtub with brightly colored machine tools.
Or, put another way, there's a very good reason why the long- established way to participate in a mailing list is quote the salient bits of the prior email and directly reply to individual sentences or paragraphs right underneath them. So that readers know what answers go with which questions.
It's called interspersed replies.
It's NOT called bottom posting, which is merely the opposite of top posting, where someone replies in one great slab below (bottom) or above (top) the post. Either way is not helpful to understanding a message.
On Fri, 2021-01-29 at 17:59 +1030, Tim via users wrote:
On Thu, 2021-01-28 at 16:49 -0800, Samuel Sieb wrote:
You completely removed any context and your message is unclear...
Q: How many surrealists does it take to change a light bulb?
A: Two, one to hold the giraffe, and the other to fill the bathtub with brightly colored machine tools.
Or, put another way, there's a very good reason why the long- established way to participate in a mailing list is quote the salient bits of the prior email and directly reply to individual sentences or paragraphs right underneath them. So that readers know what answers go with which questions.
It's called interspersed replies.
It's NOT called bottom posting, which is merely the opposite of top posting, where someone replies in one great slab below (bottom) or above (top) the post. Either way is not helpful to understanding a message.
Well put. This HyperKitty brokenness of not quoting in replies is becoming a real annoyance. IMHO the only potential advantage in having a web-based interface to the mailing list is if it encourages people to respect the same conventions, which some webmail users seem to have trouble with judging by the amount of top-posting we see. Otherwise what's the point?
poc
On Fri, Jan 29, 2021 at 3:32 AM Patrick O'Callaghan pocallaghan@gmail.com wrote:
there's a very good reason why the long- established way to participate in a mailing list is quote the salient bits of the prior email and directly reply to individual sentences or paragraphs right underneath them. So that readers know what answers go with which questions.
It's called interspersed replies.
A lot of the big providers have made doing this far more difficult than it used to be. I have personal experience with Gmail, where I used to be able to highlight part of the message, and that was all that would be included in my reply, but that no longer works; the entire message is included and I have to manually trim it. Gmail also top posts by default, which may also account for the increased amount of top-posting we see, particularly if other large providers are working the same way. In short, it takes a lot more work than it used to take to do interspersed replies, but it is still possible if you climb the learning curve and put in a little effort.
--Greg
On Fri, 2021-01-29 at 07:47 -0700, Greg Woods wrote:
I have personal experience with Gmail, where I used to be able to highlight part of the message, and that was all that would be included in my reply, but that no longer works; the entire message is included and I have to manually trim it.
Indeed. That was a Gmail "Labs" add-on but was never part of the default interface. I also used it and miss it.
poc
On Friday, January 29, 2021 9:47:35 AM EST Greg Woods wrote:
I have personal experience with Gmail, where I used to be able to highlight part of the message, and that was all that would be included in my reply, but that no longer works; the entire message is included and I have to manually trim it.
Kmail has had this feature for many years. Indeed, that is how I obtained the above to reply to this message. :-)
(Just say no to Web-based E-mail clients.)
On Fri, 2021-01-29 at 12:08 -0500, Garry T. Williams wrote:
On Friday, January 29, 2021 9:47:35 AM EST Greg Woods wrote:
I have personal experience with Gmail, where I used to be able to highlight part of the message, and that was all that would be included in my reply, but that no longer works; the entire message is included and I have to manually trim it.
Kmail has had this feature for many years. Indeed, that is how I obtained the above to reply to this message. :-)
Most real MUAs do this. I use Evolution, even though I'm on KDE.
(Just say no to Web-based E-mail clients.)
Not practical when you have multiple systems including mobile phones and tablets. Pity most of the webmail systems are lame. I don't know of any that handle mailing lists properly (e.g. they don't have a Reply- to-List option, make it difficult to avoid top-posting, etc.)
poc
On Fri, 29 Jan 2021 at 06:31, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Fri, 2021-01-29 at 17:59 +1030, Tim via users wrote:
On Thu, 2021-01-28 at 16:49 -0800, Samuel Sieb wrote:
[...]
Or, put another way, there's a very good reason why the long- established way to participate in a mailing list is quote the salient bits of the prior email and directly reply to individual sentences or paragraphs right underneath them. So that readers know what answers go with which questions.
It's called interspersed replies.
Many people's first email user agent is MS Outlook which encourages top posting by opening a blank section above the quoted message. When Outlook was introduced at work I had to put a line at the top: "See responses below" or people would think I had made an empty reply.
It's NOT called bottom posting, which is merely the opposite of top posting, where someone replies in one great slab below (bottom) or above (top) the post. Either way is not helpful to understanding a message.
Well put. This HyperKitty brokenness of not quoting in replies is becoming a real annoyance. IMHO the only potential advantage in having a web-based interface to the mailing list is if it encourages people to respect the same conventions, which some webmail users seem to have trouble with judging by the amount of top-posting we see. Otherwise what's the point?
People tend to follow patterns established in their early training. In forums for cross-platform applications there are now reports that a command-line program "doesn't work" because nothing happens when the user clicks on the program in the file browser as well as people asking how to add the programs to menus.
On 1/29/21 7:06 AM, George N. White III wrote:
On Fri, 29 Jan 2021 at 06:31, Patrick O'Callaghan <pocallaghan@gmail.com mailto:pocallaghan@gmail.com> wrote:
On Fri, 2021-01-29 at 17:59 +1030, Tim via users wrote: > On Thu, 2021-01-28 at 16:49 -0800, Samuel Sieb wrote: [...] > Or, put another way, there's a very good reason why the long- > established way to participate in a mailing list is quote the salient > bits of the prior email and directly reply to individual sentences or > paragraphs right underneath them. So that readers know what answers go > with which questions. > > It's called interspersed replies.Many people's first email user agent is MS Outlook which encourages top posting by opening a blank section above the quoted message. When Outlook was introduced at work I had to put a line at the top: "See responses below" or people would think I had made an empty reply.
That's a good solution. I've run into that before too. I asked someone at a company why they didn't answer my email and they said it was "empty". I guess they just looked at the preview or something. (Although of course my followup question should have been, why didn't you let me know, since I'm clearly trying to communicate?)
in the OP's text:
- 1. sentence, last part: "...would like to get more involved with auditd."
- in the 2. sentence, 2. part: "..., but are there any tools to process the audit.log..."
- in the 4. paragraph, last part of the sentence: "..., but what do people do with this information ..."
wrong ?
if yes: 1. sorry, my bad 2. english is not my native language, so I'm not everytime able to pick the whole/right sense and need to collect the words out of an dictionary. 3. I'm old, sometimes blind, lazy esp. in terms of "producing long stories on obvious things [*]" (here: the OP "has a shortage of knowledge" and in terms of efficiency, even when I've read a lot of news and blog's over hours (before).
[*] my 6 h A-Level finals (Abitur) in german (Deutsch) was just two DIN-A 4 pages or one with both sides described and it was a "2" ("Gut"), where others wrote > 50 pages. teacher's comment: "everything in !"
On 1/29/21 1:19 PM, sixpack13 wrote:
in the OP's text:
- sentence, last part:
"...would like to get more involved with auditd."
- in the 2. sentence, 2. part:
"..., but are there any tools to process the audit.log..."
- in the 4. paragraph, last part of the sentence:
"..., but what do people do with this information ..."
wrong ?
I see that you are replying using the hyperkitty web interface which makes it difficult to do proper quoting.
I acknowledge that English is not your first language, but your message was very strangely laid out with no sentences.
However, the biggest problem is that selinux and the audit log are completely separate. Your suggestions about selinux resources were irrelevant.
On Fri, 2021-01-29 at 21:59 +0000, sixpack13 wrote:
And once again, you didn't quote what you are replying to.
poc
to me it seems completely unnecessary. My comment is right under the comment I replied to.
that is the case now here in hyperkitty and - IIRC- was the same when I read this list via thunderbird.
On Fri, 2021-01-29 at 23:05 +0000, sixpack13 wrote:
On Fri, 2021-01-29 at 21:59 +0000, sixpack13 wrote:
And once again, you didn't quote what you are replying to.
poc
to me it seems completely unnecessary. My comment is right under the comment I replied to.
that is the case now here in hyperkitty and - IIRC- was the same when I read this list via thunderbird.
I don't know what you see in HyperKitty, but in my mail client (Evolution) the message I replied to had precisely two lines of text, both of which I quoted. Neither of those was itself a quote from an earlier message. I would be *very* surprised if Thunderbird showed it any differently.
poc
On 30/01/2021 07:05, sixpack13 wrote:
On Fri, 2021-01-29 at 21:59 +0000, sixpack13 wrote:
And once again, you didn't quote what you are replying to.
poc
to me it seems completely unnecessary. My comment is right under the comment I replied to.
You may think it is unnecessary. However, some people have their email clients configured to display "unread" messages. When a reply is sent sometime after the original message the "unread" response will be displayed, but not the previous messages. So, when the user sees the response they may not recall what message immediately precedes. This becomes worse when the reply comes hours after the message being replied to.
If you quote what you're replying to you are not putting the burden upon the reader to connect the dots.
If you don't quote then the reader will have to look back to remind themselves what was said.
FWIW, I tend to ignore non-quoted responses. I can't be alone in that regard.
sixpack13 wrote:
to me it seems completely unnecessary. My comment is right under the comment I replied to.
Ed Greshko:
You may think it is unnecessary. However, some people have their email clients configured to display "unread" messages. When a reply is sent sometime after the original message the "unread" response will be displayed, but not the previous messages. So, when the user sees the response they may not recall what message immediately precedes.
And there's plenty of people who don't thread messages into any particular order, just reading them in the order they lobbed in. The previous message(s) displayed in their mail client is probably a completely different thread.
Each message really needs to be clearly understandable when reading it all by itself. That doesn't mean quote the entire message, just enough to make sense.
I might get hundreds of (not spam) email a day, so will many others on mailing lists. We're not going to remember all the details from prior messages. We'll pop back and look when it's really necessary, but not for every message.
@Alex obviously I provides wrong info's trying to answer your questions. sorry !
-
Alex -
Ed Greshko -
Garry T. Williams -
George N. White III -
Greg Woods -
Patrick O'Callaghan -
Samuel Sieb -
sixpack13 -
Tim