Re: Improvement for Distributed Audit Project
On 08/09/2010 13:24, Janne Snabb wrote: > On Thu, 29 Jul 2010, Sergio Ligregni wrote: > >> /* >>* We have these posibilities, only the first one is allowed >>* 20100619223115.20100619223131 20100619223131.not_terminated >>* current >>*/ >> if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) { >> /* XXX To improve this checking later */ >> return 1; >> } > > Please note that the file names have an addiitional suffix in case > "host" is defined in /etc/security/audit_control. > Also note that auditd(8) complains to syslog that 'host:' is not set correctly in audit_control(5) currently. This may serve as a warning but it gets on your nerves after a while when you look at it like a error when you first see it. Since it deals with the audit system first glance of the warning sends error alerts off in your head. messages.0:Jun 4 19:47:15 disbatch auditd[1666]: audit_control(5) may be missing 'host:' field Is there some way that this could be silenced without actually adding 'host:' to audit_control(5) ? Maybe a possibility to just add 'host:localhost' to the default configuration of audit_control(5) ? If localhost would be an option and logging audits to a remote machine comes into play then would it be wise to ignore distribution of localhost from the receiving machine ? Regards, -- jhell,v ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Improvement for Distributed Audit Project
On Thu, 29 Jul 2010, Sergio Ligregni wrote: > /* >* We have these posibilities, only the first one is allowed >* 20100619223115.20100619223131 20100619223131.not_terminated >* current >*/ > if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) { > /* XXX To improve this checking later */ > return 1; > } Please note that the file names have an addiitional suffix in case "host" is defined in /etc/security/audit_control. -- Janne Snabb / EPIPE Communications sn...@epipe.com - http://epipe.com/ ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Improvement for Distributed Audit Project
I am Sergio Ligregni, from Mexico, I am currently working in the Distributed Audit Project at GSoC 2010, I want to ask your help in these things: HELP NEEDED: /*++*/ - which code should I base my development in getting parameters from a file? (I've searched some audit.c, auditd_fbsd.c, auditd.c but not got the function to do that, maybe I missed something), currently I have files like: /var/audit /var2/audit 1000 yes 53686 and got the parameters with sscanf, but the right way (the one I want to know wich code to take as baseline): dir:/var/audit /var2/audit time: 1000 slave_dir: yes port: 53686 and not to use sscanf (the avoiding of that function is a security concern made by my mentor). I think I can do an algorithm to implement that, but maybe there is a better/safer way to do in order to keeping the standard. /*++*/ Currently I have this function to verify if a file is a trail, having it's name, this is very poor and it needs to be improved, any ideas? /* * When exploring /var/audit/ (or the directory where the trails are), not * all files are trails so we must ensure we will only deal with the ones * that are trails. */ static int is_audit_trail(char *path) { /* * We have these posibilities, only the first one is allowed * 20100619223115.20100619223131 20100619223131.not_terminated * current */ if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) { /* XXX To improve this checking later */ return 1; } return 0; } /*++*/ By the way the Wiki and the Perforce Repository for this project are: http://wiki.freebsd.org/SOC2010SergioLigregni http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/soc2010/disaudit&HIDEDEL=NO Thanks! -- --- Sergio AndrĂ©s Ligregni Arredondo Estudiante IngenierĂa en Sistemas Computacionales, ITQ. Is UNIX Hot Enough for You? | FreeBSD ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"