Distributed Audit Project Report

Sergio Ligregni ligregni at unixmexico.org
Thu Jul 29 19:56:02 UTC 2010 

Hi!

The project is going pretty well, the changes made since MidTerm Eval:

- MD5 to SHA256 checksum when verifying the integrity of an audit trail
- Multi audit trail directories allowed, this is, if audit_control has "dir:
/var/audit /var/audit2 /var/audit3", and the shipd_control file has the
three configured also, the daemon will search throught all directories
listed for audit trails (but, if duplicated, since the important thing is
the name and the SHA256, there will be no double transfer of trails)
- Fixed the security issues realted to strxxx functions, and styled
(style(9)) the code.

TO_DO (next days):

- config audit_warn to call shipd when a trail is closed (if someone has
ideas to do that, help is welcome)
- "migrate" BSD sockets to BIO sockets, in order to get SSL implemented.

HELP NEEDED:

/*++++++++++++++++++++++*/

- which code should I base my development in getting parameters from a file?
(I've searched some audit.c, auditd_fbsd.c, auditd.c but not got the
function to do that, maybe I missed something), currently I have files like:

/var/audit
/var2/audit
1000
yes
53686

and got the parameters with sscanf, but the right way (the one I want to
know wich code to take as baseline):

dir:/var/audit /var2/audit
time: 1000
slave_dir: yes
port: 53686

and not to use sscanf (the avoiding of that function is a security concern
made by my mentor). I think I can do an algorithm to implement that, but
maybe there is a better/safer way to do in order to keeping the standard.

/*++++++++++++++++++++++*/

Currently I have this function to verify if a file is a trail, having it's
name, this is very poor and it needs to be improved, any ideas?

 /*
* When exploring /var/audit/ (or the directory where the trails are), not
* all files are trails so we must ensure we will only deal with the ones
* that are trails.
*/
static int
is_audit_trail(char *path)
{
  /*
   * We have these posibilities, only the first one is allowed
   * 20100619223115.20100619223131 20100619223131.not_terminated
   * current
   */

  if (strlen(path) == 29 && path[14] == '.' && isdigit(path[15])) {
    /* XXX To improve this checking later */
    return 1;
  }
  return 0;
}

/*++++++++++++++++++++++*/

Thanks!
-- 
-----------------------------------------------------------
Sergio Andrés Ligregni Arredondo

Estudiante Ingeniería en Sistemas Computacionales, ITQ.
Is UNIX Hot Enough for You? | FreeBSD

More information about the soc-status mailing list