Re: [Fed-Talk] Auditing crushed by VMware
Re: [Fed-Talk] Auditing crushed by VMware
- Subject: Re: [Fed-Talk] Auditing crushed by VMware
- From: Todd Heberlein <email@hidden>
- Date: Thu, 15 Nov 2012 09:47:49 -0800
> Have you tried looking at what particular events are flooding the system?
> You can create a custom audit class to get the events you want and not the
> nuisance events.
Hi Ruth,
That is the general direction I am looking at. I was thinking of also running the VMs under a different user and then tweaking audit_user to mask out the most egregious audit events by the VM. I've never tweaked audit_user before; hopefully it works as advertised.
After that I'll refine it more by creating a custom class. I'll let people know what I get. Hopefully I'll have a productive weekend of experiments.
I have a big meeting on Friday, so experiments have been put on hold until I get through that :(
Todd
PS: I ran across this while testing the FAAS system I've been working on. Once I clear up this auditing with the VM issue, I'll post the first beta code online.
http://www.netsq.com/Tools/FAAS/Concept/
PPS: I am taking all the Audit Explorer analysis code and putting the analysis on the server and then your analysts can access the results from clients. Once FAAS seems to be working for people, if you have Audit Explorer, shoot me an email and I'll send you a copy of the code to run on the FAAS server. Then you should have audit generation (courtesy of Apple), audit aggregation and protection (courtesy of FAAS), and automated analysis and review (Audit Explorer) working together.
PPPS: Eventually I'll push processed results out for SIEMS to consume (I know lots of people lover their splunk), but I need a little sleep.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden