TrustedBSD status from Oct-Dec 2003

[Ilmar S. Habibulin]

On Sat, 20 Mar 2004, Robert Watson wrote:

> Sorry about the delay in responding -- I've been in Taiwan the last week
> attending Asia BSDCon and seeing the beautiful sights :-).  I'm still
> catching up on e-mail, so you'll probably see other messages from me too.
Hope you have a good trip. ;-)

> You can find a description of the base BSM token types here:
>
>   http://docs.sun.com/db/doc/802-1965/6i5vah3bm?a=view
Well, i have trusted solaris 8 audit administration book. I think there
are the same or tsol maybe more complete.

> I believe there are both 32-bit and 64-bit attribute token types; only the
> 32-bit type seems to be documented here.  The public Darwin audit code
> drop in Panther seems to add an extra 32-bit pad to the file id field; I'm
> not sure why that is but will inquire.
64-bit tokens are used at 64-bit OSes i suppose. So they would be used on
sparc64 and otheres. But i have only blade100, so it would be my 64bit
platform for experiments. And i don't understant what do you mean by term
file id. There are file system ID and inode. Do you mean one of these?

> > http://ftp.cerias.purdue.edu/pub/tools/unix/logutils/bsmparser/README.html
> Yes.  The Apple kernel audit implementation is intended to produce
> compliant BSM audit record streams that can be consumed by a number of
> open source programs and commercial audit products.  If you find bugs in
> the implementation, let me know and I can feed fixes back to Apple.
I've posted my progress in -audit list. There was some bugs, that i had to
fix in order to make kernel boot and run, but i don't know if there affect
Darwin sources too. I'll look at it.

> > Is there any additional info on your bsm audit implementation other than
> > darwin source?
> Not currently.  However, there is a lot of information available on the
> BSM APIs and record formats from Sun's web page, as well as a variety of
> open source projects, etc, that use BSM, so they are probably the best
> starting point.
Latelly i understand what a foolish question i've asked. ;-)

> BTW -- did we ever get you hooked up with a Perforce account?  If so,
> could you submit your changes to the audit2 branch?  I'm pretty
> preoccupied with other work right now, so if you want to grab the audit
> work and run with it, please do :-).
I'm very pleased with this offer, but i'm not feel to be so skilled to do
all the job by myself. I'm not even a good programmer, and i'm affraid
that my misaction would do any harm to other maybe more importaint
projects. So imho it will be better if somebody more skilled would look
through my code and commit or fix-n-commit it. ;-)
Right now i'm fully occupied with BSM audit implementation. But the work
is not even half done. ;-) Many bugs to fix, many userland utils to hack.

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message