From owner-soc-status@freebsd.org Mon Jul 18 09:24:33 2016 Return-Path: Delivered-To: soc-status@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 799BAB9CCA1 for ; Mon, 18 Jul 2016 09:24:33 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com [209.85.215.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1423C1875; Mon, 18 Jul 2016 09:24:33 +0000 (UTC) (envelope-from mpp302@gmail.com) Received: by mail-lf0-f47.google.com with SMTP id b199so127721989lfe.0; Mon, 18 Jul 2016 02:24:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:date:message-id:cc:to:mime-version; bh=DZob9QriVO1FV/8L9PTNqf5uvippPlchq9PyzEHoHL4=; b=fdHcndQMms7venrtkhFb1DjBunER7b5NsOwCbcXnr7LFgFRMzmFQDAn2zG3OYKnju6 YWBiXhKLch3ibDjmavqNCS5i3qkkse2gqkk+0gfwcXKKyGSscPODjdDLJd7ShC5TchIK TVvJ4ftf6DEwfhsYk4sTqAlAF0pyGsN8dWnAzFvKB3LZr+oR0QDblUhF99PwyZP8d5WM IeMjwipvYDznR4RJAOT474AUFRoO52xsiKajxebroGlzWqSCr6CXNtEguBK1OtmE0tFf lNNgHzW0psrquDhshbG3t0DwHFEJWQc0+I77UX6HU8vpZCczRHvI+2MVlkR9YbGeIJZc o3rg== X-Gm-Message-State: ALyK8tKTZcL0I6jpyb5tqwBcuHImDQ2n52aUaUfxA5YamrqYoW5O7M79L9bqnJGt8qPXPA== X-Received: by 10.25.22.234 with SMTP id 103mr15682933lfw.100.1468833865113; Mon, 18 Jul 2016 02:24:25 -0700 (PDT) Received: from maka.lan ([77.79.224.226]) by smtp.gmail.com with ESMTPSA id 29sm4272168lfu.43.2016.07.18.02.24.23 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 Jul 2016 02:24:24 -0700 (PDT) From: Mateusz Piotrowski <0mp@FreeBSD.org> Subject: Week 8 / Non-BSM to BSM Conversion Tools Date: Mon, 18 Jul 2016 11:24:24 +0200 Message-Id: <7AB5EB4C-7C22-444F-AD04-19534C25CC9C@FreeBSD.org> To: soc-status@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: soc-status@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Summer of Code Status Reports and Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2016 09:24:33 -0000 Hello, I=E2=80=99ve got a couple of interesting news for you. # Parsing According to what I=E2=80=99ve learnt from the Linux Audit mailing list = there is no document with the standard. Generally, no one is translating = and parsing Linux Audit logs on their own because there is a library = called auparse which is capable of parsing those not-so-well = standardised Linux logs. As a result my program is able to parse the = most recent version of Linux Audit which is not that great - Debian uses = a version from 2012 and CentOS a 2013 one.=20 I was told that in the near future auparse will have its interface = expanded and it will be easier to extract information from Linux Audit = records. # Conversion I=E2=80=99ve created an extensible and easy to use framework to = modify/improve the current conversion from Linux Audit to BSM. At the = moment most of the Linux Records are simply converted to text tokens = (see audit.log(5)).=20 In fact Linux Audit is a little bit of a constantly morphing black box = which means that logs might possibly contain anything inside. I was told = that it is about to change but you never know - remember that Debian = uses a 4 year old version of this software. # CentOS Now I am trying to get the most recent audit software on CentOS to see = how Linux Audit records should really look like. # Links: - Linux Audit userspace TODO: = https://github.com/linux-audit/audit-userspace/blob/master/TODO = - My email to linux-audit redhat com (Steve Grubb is a really nice = guy!): = https://www.redhat.com/archives/linux-audit/2016-July/msg00063.html = Cheers, -m=