[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: Writing a program to monitor the SELinux log
From:       Jason Axelson <jaxelson () referentia ! com>
Date:       2011-11-02 4:07:49
Message-ID: CAC9ii1pMkekO0e-vj4iYD3m5CRAB3d+3c5TcVaSS_KKeO_4geg () mail ! gmail ! com
[Download RAW message or body]

On Wed, Oct 12, 2011 at 2:37 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 10/11/2011 11:07 PM, Jason Axelson wrote:
>> Hi,
>>
>> I am writing a program that will monitor the SELinux log for AVC
>> violations and deal with them appropriately. Currently I am looking
>> at approaches to monitor the SELinux log.
>>
>> One approach is to do raw monitoring of /var/log/audit/audit.log
>> with something like: tail -f /var/log/audit/audit.log | ausearch -m
>> avc
>>
>> A second approach may be to implement an SETroubleShoot plugin:
>> https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20Overview
>>
>>  I'm kind of leaning towards an SETroubleShoot plugin since it
>> seems like less new development and the infrastructure seems to be
>> already there.
>>
>> Is this a valid approach? Is there a better way?
>>
> I would say either just write an setroubleshoot plugin or copy the
> code in sedispatch from setroubleshoot to build your own audit
> dispatcher, that watches for SELinux messages.

Thanks for all of the suggestions!

After some consideration I think I will either copy sedispatch or
write my own version of sedispacth (it's only 266 lines after all!).
This was mainly chosen because it is simple, performant, and doesn't
bring in unnecessary dependencies.

Thanks,
Jason


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]