Date: Mon, 11 Jul 2016 10:41:06 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: soc-status@FreeBSD.org Subject: Week 7 / Non-BSM to BSM Conversion Tools Message-ID: <D1082DE3-5233-4218-AB7A-7BAAEE454078@FreeBSD.org>
index | next in thread | raw e-mail
Hello, During this week I focused on implementing the conversion from Linux Audit to BSM. It turns out that the Linux Audit format is not well standarized and I do not understand many aspects of the format yet. At the moment my program is able to parse and perform a basic conversion of Linux Audit logs. It means that all the Linux Audit fields are converted to text tokens using au_to_text(3). Additionally, I extended the interface of libbsm. I added a function au_close_buffer_tm() which is au_to_buffer() with an possibility to set an arbitrary timestamp for the audit record. I had to do it because the interface didn’t allow me to easily use an arbitrary timestamp - au_write(3) automatically used gettimeofday to set the time. The file with the modified code is /contrib/openbsm/libbsm/bsm_audit.c. I created a wiki where I store useful links for future reference: [1]. Due to the complexity of the Linux Audit format and my lack of experience with audit logs and system calls I have to spend one more week on the conversion. I’ve updated the [Wiki] accordingly. I’ve asked three questions on unix.stackexchange.com <http://unix.stackexchange.com/>; regarding Linux Audit: - [4] http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records <http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records>; - [5] http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique <http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique>; - [6] http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields <http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields>; My major branch is [2] where I eventually pull all my code. My current branch I work on: [3]. Cheers! Mateusz Piotrowski [Wiki]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/ <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/>; [GitHub]: https://github.com/0mp/freebsd/ <https://github.com/0mp/freebsd/>; [1]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/LinuxAuditToBSM <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/LinuxAuditToBSM>; [2]: https://github.com/0mp/freebsd/pull/9 <https://github.com/0mp/freebsd/pull/9>; [3]: https://github.com/0mp/freebsd/pull/41 <https://github.com/0mp/freebsd/pull/41>; [4]: http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records <http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records>; [5]: http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique <http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique>; [6]: http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields <http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields>;help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D1082DE3-5233-4218-AB7A-7BAAEE454078>