Linux Auditing System Events

[markfarrell]

Steps to Resolution

2102f7a

• Define a module, Text.Parsing.Linux.Audit, that exports a function entry :: Parser String Foreign, which parses raw Linux Auditing System log entries in JSON format.
• Implement a test module, Test.Text.Parsing.Linux.Audit, that exports a function suite :: Aff Unit, with an appropriate set of unit tests for the public exports of Text.Parsing.Linux.Audit.

Follow-Up Issues

• Define an entry point, Main.Text.Parsing.Linux.Audit, that reads a sample of raw Linux Auditing System entries from a log file passed as a process argument. It should write parsed log entries in JSON format to a file passed as a process argument.
• Define an entry point,Main.Control.FS.Linux.Audit, that acts as an event collector that continuously watches for changes to the input file passed as a process argument, applies SQLi risk mitigations to the properties of parsed log file entries in JSON format, and writes parsed/validated log entries in JSON format to a SQlite3 database (e.g. with a table for each type of log entry.
• Define an entry point Main.Control.{HTTP,TCP}.Linux.Audit that spawns an HTTP/HTTPS or TCP event collector that allows clients to forward raw Linux Auditing System entries, with a fresh authorization token for each new request (where authorization tokens are passed in the the body of the response to previous requests for each new request), storing the entries in a SQLite3 database.
• I'm not sure if it is possible to configure auditd to forward log entries to a UNIX domain socket, and would like to test this in as part of a follow-up issue, e.g. implementing an analogous event collector with an appropriate entry point.
• Conduct a 24hr test of parsing/validating forwarded Linux Auditing System log entries in JSON format, in a model production test scenario.