Week 7 / Non-BSM to BSM Conversion Tools

[Mateusz Piotrowski]

Hello,

During this week I focused on implementing the conversion from Linux Audit to BSM.

It turns out that the Linux Audit format is not well standarized and I do not understand many aspects of the format yet. At the moment my program is able to parse and perform a basic conversion of Linux Audit logs. It means that all the Linux Audit fields are converted to text tokens using au_to_text(3).

Additionally, I extended the interface of libbsm. I added a function au_close_buffer_tm() which is au_to_buffer() with an possibility to set an arbitrary timestamp for the audit record. I had to do it because the interface didn’t allow me to easily use an arbitrary timestamp - au_write(3) automatically used gettimeofday to set the time. The file with the modified code is /contrib/openbsm/libbsm/bsm_audit.c.

I created a wiki where I store useful links for future reference: [1].

Due to the complexity of the Linux Audit format and my lack of experience with audit logs and system calls I have to spend one more week on the conversion. I’ve updated the [Wiki] accordingly.

I’ve asked three questions on unix.stackexchange.com <http://unix.stackexchange.com/> regarding Linux Audit:
- [4] http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records <http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records>
- [5] http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique <http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique>
- [6] http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields <http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields>

My major branch is [2] where I eventually pull all my code.
My current branch I work on: [3].


Cheers!

Mateusz Piotrowski

[Wiki]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/ <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/>
[GitHub]: https://github.com/0mp/freebsd/ <https://github.com/0mp/freebsd/>
[1]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/LinuxAuditToBSM <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools/LinuxAuditToBSM>
[2]: https://github.com/0mp/freebsd/pull/9 <https://github.com/0mp/freebsd/pull/9>
[3]: https://github.com/0mp/freebsd/pull/41 <https://github.com/0mp/freebsd/pull/41>
[4]: http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records <http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records>
[5]: http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique <http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique>
[6]: http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields <http://unix.stackexchange.com/questions/294641/where-can-i-find-the-most-recent-dictionary-of-standard-linux-audit-event-fields>