Date: Mon, 20 Sep 1999 11:57:06 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: security@FreeBSD.ORG Subject: Re: Real-time alarms Message-ID: <Pine.BSF.3.96.990920114831.42321D-100000@fledge.watson.org> In-Reply-To: <199909201541.IAA59140@gndrsh.dnsmgr.net>
index | next in thread | previous in thread | raw e-mail
On Mon, 20 Sep 1999, Rodney W. Grimes wrote: > > I'd advise against developing any more codebases for auditing--we already > > have two :-). I have a /dev/audit, submission of records from a number of > > syscalls, an auditd + IDS interface, and some log management code. Nate's > > folk are working on a better kernel interface and implementation, as was > > discussed on freebsd-security in July (please see archive for details). > > My userland library currently supports most of the posix.1e audit > > interface spec, and I have a set of posix.1e extensions for IDS modules. > > My hope is to adapt my auditd to speak Nate's kernel improvements, but > > continue to provide a standard interface and useful tools/etc. > > URL to source code please... and I already pointed out that we need > to at least look at what is out there. My first hack at the POSIX.1e auditing interface is available via: http://www.watson.org/fbsd-hardening/posix1e/ Unfortunately, the newer revisions of my code are on a notebook in Massachusetts, and I'm currently in Maryland on business. However, I'll be back up there tomorrow night and will put the new stuff online ASAP (including passes at an IDS module interface). The kernel interface available in that code base is pre-July code--i.e., before we had discusses how to do the kernel interface properly--I recommend ignoring that code, except from the point of view of seeing how it fits into the overall scheme. Essentially it does what has been discussed: the syscalls are allowed to generate records which are submitted to a queue that pops out of /dev/audit. An auditd listens on /dev/audit and retrieves records, reading them into an internal structure of the style suggested by the POSIX.1e interface, appropriate for passing to IDS routines, etc. One thing that the code base doesn't currently contain is my new log format and text format for audit records--POSIX encourages the providing of a consistent text format for records, and the version online is a hack to convert a record to a string. In the version going online in a couple of days, I provide clean conversion to a string, as well as a parser/etc to pull text records back into managable POSIX audrec_t's. Part of the goal of the distribution I did put online was to make sections of POSIX.1e available in manpage format--since then, we've managed to get IEEE to release the documents themselves, which are available online at the posix1e homepage. There is a posix1e mailing list that may be subscribed to by sending email to majordomo@cyrus.watson.org with contents "subscribe posix1e". Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990920114831.42321D-100000>