Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Jul 2010 14:55:57 -0500
From:      Sergio Ligregni <ligregni@unixmexico.org>
To:        soc-status@freebsd.org
Cc:        Stacey Son <sson@freebsd.org>
Subject:   Distributed Audit Project Report
Message-ID:  <AANLkTinD-QMDA=uMkV_V3dvsAefiV0VM6QAXFt-ADQ9z@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi!

The project is going pretty well, the changes made since MidTerm Eval:

- MD5 to SHA256 checksum when verifying the integrity of an audit trail
- Multi audit trail directories allowed, this is, if audit_control has "dir=
:
/var/audit /var/audit2 /var/audit3", and the shipd_control file has the
three configured also, the daemon will search throught all directories
listed for audit trails (but, if duplicated, since the important thing is
the name and the SHA256, there will be no double transfer of trails)
- Fixed the security issues realted to strxxx functions, and styled
(style(9)) the code.

TO_DO (next days):

- config audit_warn to call shipd when a trail is closed (if someone has
ideas to do that, help is welcome)
- "migrate" BSD sockets to BIO sockets, in order to get SSL implemented.

HELP NEEDED:

/*++++++++++++++++++++++*/

- which code should I base my development in getting parameters from a file=
?
(I've searched some audit.c, auditd_fbsd.c, auditd.c but not got the
function to do that, maybe I missed something), currently I have files like=
:

/var/audit
/var2/audit
1000
yes
53686

and got the parameters with sscanf, but the right way (the one I want to
know wich code to take as baseline):

dir:/var/audit /var2/audit
time: 1000
slave_dir: yes
port: 53686

and not to use sscanf (the avoiding of that function is a security concern
made by my mentor). I think I can do an algorithm to implement that, but
maybe there is a better/safer way to do in order to keeping the standard.

/*++++++++++++++++++++++*/

Currently I have this function to verify if a file is a trail, having it's
name, this is very poor and it needs to be improved, any ideas?

 /*
* When exploring /var/audit/ (or the directory where the trails are), not
* all files are trails so we must ensure we will only deal with the ones
* that are trails.
*/
static int
is_audit_trail(char *path)
{
  /*
   * We have these posibilities, only the first one is allowed
   * 20100619223115.20100619223131 20100619223131.not_terminated
   * current
   */

  if (strlen(path) =3D=3D 29 && path[14] =3D=3D '.' && isdigit(path[15])) {
    /* XXX To improve this checking later */
    return 1;
  }
  return 0;
}

/*++++++++++++++++++++++*/

Thanks!
--=20
-----------------------------------------------------------
Sergio Andr=E9s Ligregni Arredondo

Estudiante Ingenier=EDa en Sistemas Computacionales, ITQ.
Is UNIX Hot Enough for You? | FreeBSD



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinD-QMDA=uMkV_V3dvsAefiV0VM6QAXFt-ADQ9z>