Week 8 / Non-BSM to BSM Conversion Tools

[Mateusz Piotrowski]

Hello,

I’ve got a couple of interesting news for you.

# Parsing

According to what I’ve learnt from the Linux Audit mailing list there is no document with the standard. Generally, no one is translating and parsing Linux Audit logs on their own because there is a library called auparse which is capable of parsing those not-so-well standardised Linux logs. As a result my program is able to parse the most recent version of Linux Audit which is not that great - Debian uses a version from 2012 and CentOS a 2013 one. 

I was told that in the near future auparse will have its interface expanded and it will be easier to extract information from Linux Audit records.

# Conversion

I’ve created an extensible and easy to use framework to modify/improve the current conversion from Linux Audit to BSM. At the moment most of the Linux Records are simply converted to text tokens (see audit.log(5)). 

In fact Linux Audit is a little bit of a constantly morphing black box which means that logs might possibly contain anything inside. I was told that it is about to change but you never know - remember that Debian uses a 4 year old version of this software.

# CentOS

Now I am trying to get the most recent audit software on CentOS to see how Linux Audit records should really look like.

# Links:

- Linux Audit userspace TODO: https://github.com/linux-audit/audit-userspace/blob/master/TODO <https://github.com/linux-audit/audit-userspace/blob/master/TODO>
- My email to linux-audit redhat com (Steve Grubb is a really nice guy!): https://www.redhat.com/archives/linux-audit/2016-July/msg00063.html <https://www.redhat.com/archives/linux-audit/2016-July/msg00063.html>


Cheers,

-m