Date: Mon, 6 Jun 2016 04:45:18 +0200 From: Mateusz Piotrowski <0mp@FreeBSD.org> To: soc-status@FreeBSD.org Subject: Week 2 / Non-BSM to BSM Conversion Tools / Problems with mapping and NFS Message-ID: <777F3D4D-60FC-4D20-9555-3C9FF01356E4@FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hello, Mapping =3D=3D=3D=3D=3D I read some contrib/openbsm source code to get the idea of how I should = implement the conversion from the Linux Audit format to the BSM format.=20= It turns out it is a little bit more complicated than I thought at the = beginning. It is not obvious to me yet how I should map the Linux Audit = format to the BSM format.=20 On one hand I can try to map as many Linux Audit audit fields to the BSM = fields as possible; it seems to be rather troublesome. On the other hand = I can ignore the whole mapping issue and just create a proper BSM trail = using the header token, trailer token and a bunch of arbitrary data = tokens to pack all the Linux audit events there.=20 The best approach would be something in the middle I guess. I wasn=E2=80=99= t able to come up with a neat solution on my own yet however; I=E2=80=99ve= got to present my research to my mentor and ask for advice since I=E2=80=99= m stuck. Here=E2=80=99s an email I=E2=80=99ve sent to freebsd-hackers@ where I = asked for help with understaing how the /etc/security/audit_event file = works = (https://lists.freebsd.org/pipermail/freebsd-hackers/2016-June/049550.html= = <https://lists.freebsd.org/pipermail/freebsd-hackers/2016-June/049550.html= >). I didn=E2=80=99t receive any answer yet. Parsing =3D=3D=3D=3D=3D I felt a little bad about the fact that I=E2=80=99ve not wrote a single = line of code yet. This is why I decided to start writing a parser for = the Linux Audit trails. I=E2=80=99ve got to ask my mentor if it = wouldn=E2=80=99t be smarter if I adopt the code which parses Linux Audit = trails since it is already written = (http://people.redhat.com/sgrubb/audit/audit-parse.txt = <http://people.redhat.com/sgrubb/audit/audit-parse.txt>). NFS =3D=3D=3D=3D=3D My mentor suggested me to set up FreeBSD with NFS. I tried really hard = to get it working. My virtual machine fails to boot basically. I created = a step-by-step tutorial for future reference: = https://github.com/0mp/freebsd/wiki/Set-up-FreeBSD-with-NFS = <https://github.com/0mp/freebsd/wiki/Set-up-FreeBSD-with-NFS>. It is = mainly based on the oshogbo=E2=80=99s tutorial = (http://oshogbo.vexillium.org/blog/28/ = <http://oshogbo.vexillium.org/blog/28/>).=20 I=E2=80=99ll update the tutorial as soon as I fix my NFS. New repository =3D=3D=3D=3D=3D I have a new repository: https://github.com/0mp/freebsd = <https://github.com/0mp/freebsd>. Midterm evaluation is coming =3D=3D=3D=3D=3D Hopefully, I=E2=80=99ll manage to catch up with at least some of my = milestones which I planned to reach before the midterm evaluation. I = simply cannot work full-time on my GSoC project due to the exams coming = soon. Outdated Wiki =3D=3D=3D=3D=3D I didn=E2=80=99t update my Wiki page in a while because I=E2=80=99m = struggling with the mapping issue. The link to the project=E2=80=99s = Wiki: = https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools = <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools>. Cheers! -Mateusz=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?777F3D4D-60FC-4D20-9555-3C9FF01356E4>