[365] in Intrusion Detection Systems
Re: Decoding BSM audit trail
daemon@ATHENA.MIT.EDU (Aziz MOUNJI)
Tue Oct 10 04:36:35 1995
Date: Mon, 9 Oct 1995 11:37:53 +0100
From: amo@info.fundp.ac.be (Aziz MOUNJI)
To: richter@informatik.tu-cottbus.de
Reply-To: ids@uow.edu.au
Hi Birk,
thanks very much for your reply.
> Hi,
>
> You will find the information to the BSM Audit Trail in the HandBook:
> "Solaris SHIELD Basic Security Module".
>
I already read the entire stuff, but could not find the answer to my
question.
>
> An audit record is build by audit tokens.
I read the audit_record.h (under /usr/include/bsm) but only found the
C declaration for the TOKENS (au_arg_tok_t, au_attr_tok_t, ... etc).
What I am (desperately) looking for is the C declaration of an entire
audit record. What is explained in "Solaris SHIELD Basic Security Module" is
the logical structure of the various types of audit records. Also, I would
like to know what is the meaning of the previous and next in
the declaration below (from /usr/include/bsm/audit_record.h):
struct au_token {
char id;
struct au_token *next;
struct au_token *prev;
char *data; /* which data, the tokens ???? */
u_short size; /* of entire record, token, the rest ???*/
union {
au_arg_tok_t arg;
au_attr_tok_t attr;
au_data_tok_t data;
au_exit_tok_t exit;
au_file_tok_t file;
au_groups_tok_t groups;
au_header_tok_t header;
au_inaddr_tok_t inaddr;
au_ip_tok_t ip;
au_ipc_perm_tok_t ipc_perm;
au_ipc_tok_t ipc;
au_iport_tok_t iport;
au_invalid_tok_t invalid;
au_opaque_tok_t opaque;
au_path_tok_t path;
au_proc_tok_t proc;
au_ret_tok_t ret;
au_server_tok_t server;
au_seq_tok_t seq;
au_socket_tok_t socket;
au_subj_tok_t subj;
au_text_tok_t text;
au_trailer_tok_t trailer;
} un;
};
typedef struct au_token au_token_t;
Does it mean that the tokens form a chained list ?
It's really unclear and confusing things. Can you provide further explanations.
> There is a program named "praudit". It converts the binary audit trail in
> a human readable format - slowly.
>
> One easy solution for your problem is, actuall used by us, the follow:
>
> praudit | your_transformer
>
> Warning, it's _verry_ slow!!!!
>
Oh yes, it is much more efficient to plug *directly* into the binary audit
trail and transform it. But, eh, I need the binary specs of this.
Thanks again, if you have further explanations, it would be most appreciated.
Cheers, Aziz.
--------------------------+-------------------------------------
| Abdelaziz Mounji | amo@info.fundp.ac.be |
| ASAX project | http://www.info.fundp.ac.be/~amo |
| Institut d'Informatique | voice: +32 81 724987 |
| University of Namur | Fax : +32 81 724967 |
----------------------------------------------------------------
--
+---------------------+--------------------------------------------------+
| ____ ___ | Justin Lister ruf@cs.uow.edu.au |
| | \\ /\ __\ | Center for Computer Security Research |
| | |) / \_/ / |_ | Dept. Computer Science voice: 61-42-214-330 |
| | _ \\ /| _/ | University of Wollongong fax: 61-42-214-329 |
| |_/ \/ \_/ |_| (tm) | Computer Security a utopian dream... |
| | LiNuX - the only justification for using iNTeL |
+---------------------+--------------------------------------------------+
