Date: Mon, 6 Jun 2016 04:45:18 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: soc-status@FreeBSD.org Subject: Week 2 / Non-BSM to BSM Conversion Tools / Problems with mapping and NFS Message-ID: <777F3D4D-60FC-4D20-9555-3C9FF01356E4@FreeBSD.org>
index | next in thread | raw e-mail
Hello, Mapping ===== I read some contrib/openbsm source code to get the idea of how I should implement the conversion from the Linux Audit format to the BSM format. It turns out it is a little bit more complicated than I thought at the beginning. It is not obvious to me yet how I should map the Linux Audit format to the BSM format. On one hand I can try to map as many Linux Audit audit fields to the BSM fields as possible; it seems to be rather troublesome. On the other hand I can ignore the whole mapping issue and just create a proper BSM trail using the header token, trailer token and a bunch of arbitrary data tokens to pack all the Linux audit events there. The best approach would be something in the middle I guess. I wasn’t able to come up with a neat solution on my own yet however; I’ve got to present my research to my mentor and ask for advice since I’m stuck. Here’s an email I’ve sent to freebsd-hackers@ where I asked for help with understaing how the /etc/security/audit_event file works (https://lists.freebsd.org/pipermail/freebsd-hackers/2016-June/049550.html <https://lists.freebsd.org/pipermail/freebsd-hackers/2016-June/049550.html>). I didn’t receive any answer yet. Parsing ===== I felt a little bad about the fact that I’ve not wrote a single line of code yet. This is why I decided to start writing a parser for the Linux Audit trails. I’ve got to ask my mentor if it wouldn’t be smarter if I adopt the code which parses Linux Audit trails since it is already written (http://people.redhat.com/sgrubb/audit/audit-parse.txt <http://people.redhat.com/sgrubb/audit/audit-parse.txt>). NFS ===== My mentor suggested me to set up FreeBSD with NFS. I tried really hard to get it working. My virtual machine fails to boot basically. I created a step-by-step tutorial for future reference: https://github.com/0mp/freebsd/wiki/Set-up-FreeBSD-with-NFS <https://github.com/0mp/freebsd/wiki/Set-up-FreeBSD-with-NFS>. It is mainly based on the oshogbo’s tutorial (http://oshogbo.vexillium.org/blog/28/ <http://oshogbo.vexillium.org/blog/28/>). I’ll update the tutorial as soon as I fix my NFS. New repository ===== I have a new repository: https://github.com/0mp/freebsd <https://github.com/0mp/freebsd>. Midterm evaluation is coming ===== Hopefully, I’ll manage to catch up with at least some of my milestones which I planned to reach before the midterm evaluation. I simply cannot work full-time on my GSoC project due to the exams coming soon. Outdated Wiki ===== I didn’t update my Wiki page in a while because I’m struggling with the mapping issue. The link to the project’s Wiki: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools>. Cheers! -Mateuszhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?777F3D4D-60FC-4D20-9555-3C9FF01356E4>