Just an update to this...
I've implemented this feature at my work and it seems to function fine. However, the way I implemented it isn't very standard. It only works with the audit_linux.sh script and a linux web server setup, and the audits are launched on the server.
The way it works is you click a link on the bottom of the page like you would to export to csv, etc. Then it passes the sql query and other post information like the export to file does, only it passes it to a page kind of like the wake on lan page. That page simply tells you if the audit script was able to launch successfully on the server, and what kind of audit you're doing (I also have the "Audit Now!" function going to this page to launch remote audits in the same fashion). For query audits, it passes the hostnames as a long string to the script as a switch, with hostnames separated by spaces.
To be able to see that the audits that are actually running and kill any running processes you want I created a page called show_active_audits.php. This page parses the ps output to look for script processes and displays all currently active proccess with their PID, command they're running, the process' elapsed time, and what computer it's trying to audit. The page is similar to the delete systems page in that it allows you to kill any and all active audits (so long as they were started from the webserver).
I also had to edit the admin config page to add an audits section so you can define authentication information for the audit script to run properly from the webserver. There are still some quirks I'm fleshing out.
I thought I'd at least post this to hopefully give some other people some ideas for how to do this.
_________________ OA Server: Debian Squeeze w/ Apache2 Auditing: 700 Workstations, 250 or so Retail Terminals, about 75 Servers OS's: Windows XP/2003/2008/2008 R2/Vista/7, Debian LDAP: Active Directory 2008 R2
|