From owner-soc-status@freebsd.org Mon Jul 11 08:41:16 2016 Return-Path: Delivered-To: soc-status@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B913AB91AEA for ; Mon, 11 Jul 2016 08:41:16 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: from mail-lf0-f46.google.com (mail-lf0-f46.google.com [209.85.215.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 32C1A13B3; Mon, 11 Jul 2016 08:41:15 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: by mail-lf0-f46.google.com with SMTP id h129so65489714lfh.1; Mon, 11 Jul 2016 01:41:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:date:message-id:cc:to:mime-version; bh=mMeD8QYCYppUrZU/C0Gvo06aHPgc/+/MHKnmFMg8ZKY=; b=bruaNM/3hQBiljyHSQq9jvaKM0AIZUtYTEFWd5fIimlEsJ0M3CCxtgWkRhvBieq2tu bDchpgjjFtGh9f4W0mWS3XkSmXF/aJLmfoiqw/V+n4od7W0m9Hai7/XbvNNgGxsrcZD6 3pDuP6b6ynZpSnNmWCIkKAJoL3ExoZjiJCf4UiQq7UCvEf0lIgCeij64dymK7p24DXYh z2xpbk5xzTXO7c8wTQJXsvCg9stkE/kJjI42+28erj1hsK1g9MvPRTc/QYoYX3ll0eDg 7E57wee9wkz7xY2MY9xeSSLp9ofU8oCoirKpaS/9fM1SuHaGlKFvfSbOlUW+E5wNTNyY a0HQ== X-Gm-Message-State: ALyK8tLdkxA83Y/2CcULVIFYbmhliBvV1YqMOsTtZKdpH/lWd7u9O+KfxCp2ehZlyL57Vw== X-Received: by 10.46.1.93 with SMTP id 90mr5120393ljb.1.1468226468193; Mon, 11 Jul 2016 01:41:08 -0700 (PDT) Received: from maka.lan ([77.79.224.226]) by smtp.gmail.com with ESMTPSA id 88sm409943lfr.23.2016.07.11.01.41.06 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 11 Jul 2016 01:41:07 -0700 (PDT) From: Mateusz Piotrowski <0mp@FreeBSD.org> Subject: Week 7 / Non-BSM to BSM Conversion Tools Date: Mon, 11 Jul 2016 10:41:06 +0200 Message-Id: To: soc-status@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: soc-status@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Summer of Code Status Reports and Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 08:41:16 -0000 Hello, During this week I focused on implementing the conversion from Linux = Audit to BSM. It turns out that the Linux Audit format is not well standarized and I = do not understand many aspects of the format yet. At the moment my = program is able to parse and perform a basic conversion of Linux Audit = logs. It means that all the Linux Audit fields are converted to text = tokens using au_to_text(3). Additionally, I extended the interface of libbsm. I added a function = au_close_buffer_tm() which is au_to_buffer() with an possibility to set = an arbitrary timestamp for the audit record. I had to do it because the = interface didn=E2=80=99t allow me to easily use an arbitrary timestamp - = au_write(3) automatically used gettimeofday to set the time. The file = with the modified code is /contrib/openbsm/libbsm/bsm_audit.c. I created a wiki where I store useful links for future reference: [1]. Due to the complexity of the Linux Audit format and my lack of = experience with audit logs and system calls I have to spend one more = week on the conversion. I=E2=80=99ve updated the [Wiki] accordingly. I=E2=80=99ve asked three questions on unix.stackexchange.com = regarding Linux Audit: - [4] = http://unix.stackexchange.com/questions/293975/undocumented-format-of-linu= x-audit-log-records = - [5] = http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name= -of-a-linux-audit-records-field-is-unique = - [6] = http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-r= ecent-dictionary-of-standard-linux-audit-event-fields = My major branch is [2] where I eventually pull all my code. My current branch I work on: [3]. Cheers! Mateusz Piotrowski [Wiki]: = https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/ = [GitHub]: https://github.com/0mp/freebsd/ = [1]: = https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/Linux= AuditToBSM = [2]: https://github.com/0mp/freebsd/pull/9 = [3]: https://github.com/0mp/freebsd/pull/41 = [4]: = http://unix.stackexchange.com/questions/293975/undocumented-format-of-linu= x-audit-log-records = [5]: = http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name= -of-a-linux-audit-records-field-is-unique = [6]: = http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-r= ecent-dictionary-of-standard-linux-audit-event-fields = =