[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Writing a program to monitor the SELinux log



On Wed, Oct 12, 2011 at 2:37 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> On 10/11/2011 11:07 PM, Jason Axelson wrote:
>> Hi,
>>
>> I am writing a program that will monitor the SELinux log for AVC
>> violations and deal with them appropriately. Currently I am looking
>> at approaches to monitor the SELinux log.
>>
>> One approach is to do raw monitoring of /var/log/audit/audit.log
>> with something like: tail -f /var/log/audit/audit.log | ausearch -m
>> avc
>>
>> A second approach may be to implement an SETroubleShoot plugin:
>> https://fedorahosted.org/setroubleshoot/wiki/SETroubleShoot%20Overview
>>
>>  I'm kind of leaning towards an SETroubleShoot plugin since it
>> seems like less new development and the infrastructure seems to be
>> already there.
>>
>> Is this a valid approach? Is there a better way?
>>
> I would say either just write an setroubleshoot plugin or copy the
> code in sedispatch from setroubleshoot to build your own audit
> dispatcher, that watches for SELinux messages.

Thanks for all of the suggestions!

After some consideration I think I will either copy sedispatch or
write my own version of sedispacth (it's only 266 lines after all!).
This was mainly chosen because it is simple, performant, and doesn't
bring in unnecessary dependencies.

Thanks,
Jason


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.


[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux