From owner-freebsd-security Mon Sep 20 8:57:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 5C97315B00 for ; Mon, 20 Sep 1999 08:57:07 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA42463; Mon, 20 Sep 1999 11:57:06 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Mon, 20 Sep 1999 11:57:06 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: "Rodney W. Grimes" Cc: security@FreeBSD.ORG Subject: Re: Real-time alarms In-Reply-To: <199909201541.IAA59140@gndrsh.dnsmgr.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Sep 1999, Rodney W. Grimes wrote: > > I'd advise against developing any more codebases for auditing--we already > > have two :-). I have a /dev/audit, submission of records from a number of > > syscalls, an auditd + IDS interface, and some log management code. Nate's > > folk are working on a better kernel interface and implementation, as was > > discussed on freebsd-security in July (please see archive for details). > > My userland library currently supports most of the posix.1e audit > > interface spec, and I have a set of posix.1e extensions for IDS modules. > > My hope is to adapt my auditd to speak Nate's kernel improvements, but > > continue to provide a standard interface and useful tools/etc. > > URL to source code please... and I already pointed out that we need > to at least look at what is out there. My first hack at the POSIX.1e auditing interface is available via: http://www.watson.org/fbsd-hardening/posix1e/ Unfortunately, the newer revisions of my code are on a notebook in Massachusetts, and I'm currently in Maryland on business. However, I'll be back up there tomorrow night and will put the new stuff online ASAP (including passes at an IDS module interface). The kernel interface available in that code base is pre-July code--i.e., before we had discusses how to do the kernel interface properly--I recommend ignoring that code, except from the point of view of seeing how it fits into the overall scheme. Essentially it does what has been discussed: the syscalls are allowed to generate records which are submitted to a queue that pops out of /dev/audit. An auditd listens on /dev/audit and retrieves records, reading them into an internal structure of the style suggested by the POSIX.1e interface, appropriate for passing to IDS routines, etc. One thing that the code base doesn't currently contain is my new log format and text format for audit records--POSIX encourages the providing of a consistent text format for records, and the version online is a hack to convert a record to a string. In the version going online in a couple of days, I provide clean conversion to a string, as well as a parser/etc to pull text records back into managable POSIX audrec_t's. Part of the goal of the distribution I did put online was to make sections of POSIX.1e available in manpage format--since then, we've managed to get IEEE to release the documents themselves, which are available online at the posix1e homepage. There is a posix1e mailing list that may be subscribed to by sending email to majordomo@cyrus.watson.org with contents "subscribe posix1e". Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message