JFYI on my progress
Ilmar S. Habibulin
ilmar at watson.org
Tue Apr 20 14:31:40 GMT 2004
On Tue, 20 Apr 2004, Robert Watson wrote:
> > My libbsm implementation differs from standard get* set* end* functions
> > implementation approach. I read and parse all files at once using
> > au_lib_init() function and storing all data in memory. Are trere any
> > problems with my solution, why do other libraries use continious reads
> > from files?
>
> The primary concern that comes to mind is audit log size: audit logs grow
> rapidly, and rotated logs can easily exceed the memory of a system during
> post-processing and analysis. I think you want to be able to process logs
> using a fixed memory bound even as file size grows. Also, if you can
> process audit records incrementally, you can use libbsm to process audit
> record streams (i.e., over a socket, fifo, pipe, or pseudo-device) in real
> time.
I suppose i do not express my thoughts correctly, so you do not understand
my question. I mean getauev*(), setauevent(), endauevent() and other
functions. They parse bsm databases in /etc/security/audit_* files and
return corresponding values. According to docs they should read these
files only when called. I implemented different approach -- i read all
these files and store parsed info in internal variables/arrays.
The main problem with that approach imho is only reread of files. So i'm
asking should i reimplement these functions in the same manner as
getpwent() and co or that's ok?
> In earlier TrustedBSD audit work, I designed a plug-in for an auditd that
> read records from /dev/audit (a different model from the current "kernel
> writes to audit file); module plug-ins specified event record filters and
> then were each fed records as they arrived to provide real-time
> processing. Modules could watch for specific events, take statistics,
> etc. While the model for a monitoring with modules will be different with
> a BSM-centric API and reading from a file, I think we want to be able to
> handle streams and sources that change size and grow.
As for stream parser -- there is no one. I have only praudit(1M) command,
with lots of hardcoded stuff. And libbsm parser is on my TODO list. I
tried to get audit subsystem functional first. Now i have something, which
is integrated into FreeBSD rcNG. It runs audit_startup script and auditd
daemon, one can configure event classes and user masks. So somehow
something works ;-). I'll post patches tomorrow.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list