Re: Improvement for Distributed Audit Project
On 08/09/2010 13:24, Janne Snabb wrote:
> On Thu, 29 Jul 2010, Sergio Ligregni wrote:
>
>> /*
>>* We have these posibilities, only the first one is allowed
>>* 20100619223115.20100619223131 20100619223131.not_terminated
>>* current
>>*/
>> if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) {
>> /* XXX To improve this checking later */
>> return 1;
>> }
>
> Please note that the file names have an addiitional suffix in case
> "host" is defined in /etc/security/audit_control.
>
Also note that auditd(8) complains to syslog that 'host:' is not set
correctly in audit_control(5) currently.
This may serve as a warning but it gets on your nerves after a while
when you look at it like a error when you first see it. Since it deals
with the audit system first glance of the warning sends error alerts off
in your head.
messages.0:Jun 4 19:47:15 disbatch auditd[1666]: audit_control(5) may
be missing 'host:' field
Is there some way that this could be silenced without actually adding
'host:' to audit_control(5) ?
Maybe a possibility to just add 'host:localhost' to the default
configuration of audit_control(5) ?
If localhost would be an option and logging audits to a remote machine
comes into play then would it be wise to ignore distribution of
localhost from the receiving machine ?
Regards,
--
jhell,v
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Improvement for Distributed Audit Project
On Thu, 29 Jul 2010, Sergio Ligregni wrote:
> /*
>* We have these posibilities, only the first one is allowed
>* 20100619223115.20100619223131 20100619223131.not_terminated
>* current
>*/
> if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) {
> /* XXX To improve this checking later */
> return 1;
> }
Please note that the file names have an addiitional suffix in case
"host" is defined in /etc/security/audit_control.
--
Janne Snabb / EPIPE Communications
sn...@epipe.com - http://epipe.com/
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Improvement for Distributed Audit Project
I am Sergio Ligregni, from Mexico, I am currently working in the Distributed
Audit Project at GSoC 2010, I want to ask your help in these things:
HELP NEEDED:
/*++*/
- which code should I base my development in getting parameters from a file?
(I've searched some audit.c, auditd_fbsd.c, auditd.c but not got the
function to do that, maybe I missed something), currently I have files like:
/var/audit
/var2/audit
1000
yes
53686
and got the parameters with sscanf, but the right way (the one I want to
know wich code to take as baseline):
dir:/var/audit /var2/audit
time: 1000
slave_dir: yes
port: 53686
and not to use sscanf (the avoiding of that function is a security concern
made by my mentor). I think I can do an algorithm to implement that, but
maybe there is a better/safer way to do in order to keeping the standard.
/*++*/
Currently I have this function to verify if a file is a trail, having it's
name, this is very poor and it needs to be improved, any ideas?
/*
* When exploring /var/audit/ (or the directory where the trails are), not
* all files are trails so we must ensure we will only deal with the ones
* that are trails.
*/
static int
is_audit_trail(char *path)
{
/*
* We have these posibilities, only the first one is allowed
* 20100619223115.20100619223131 20100619223131.not_terminated
* current
*/
if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) {
/* XXX To improve this checking later */
return 1;
}
return 0;
}
/*++*/
By the way the Wiki and the Perforce Repository for this project are:
http://wiki.freebsd.org/SOC2010SergioLigregni
http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/soc2010/disaudit&HIDEDEL=NO
Thanks!
--
---
Sergio Andrés Ligregni Arredondo
Estudiante IngenierĂa en Sistemas Computacionales, ITQ.
Is UNIX Hot Enough for You? | FreeBSD
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
