audit question (fwd)

Andrew R. Reiter arr at FreeBSD.org
Wed Nov 14 23:03:34 GMT 2001 

On Wed, 14 Nov 2001, Ilmar S. Habibulin wrote:
:Another one my thought. How about to create some subject and object
:tokens, as an attributes of of subject and objects, setted upon their
:creation. So we can have only one problem - how to make these tokens
:unique. So upon fork(), socket(), open(), creat(), pipe(), etc we create
:some unique token of object. So we can store path or any other
:known attributes of object. And then only refer to objects token in audit
:records. Then user-level daemon will parse audit records and store
:appropriate paths or something else in logfiles. So some sort of hash-map
:shopuld be implemented in user-level process (again - it is much more
:easier to hack a user-level daemon, than kernel).
:And one more possible problem - there must be some object deactivation
:record, after reading which, userlevel daemon should delete object-token
:map.

I dislike the idea of the userlevel daemon collecting anything of that
sort.  I think if we can, we should have the map be in some sort of
append-only part of dispace so that we can 1) keep logical map of a
filesystem like you said, and 2) we can keep updates for fs map changes.
I fear keeping such a map in userland as it _and_ the logs should be in
some sort of read-only storage.  But, I do like your idea on the mark of
objects... and I agree with the map idea.  I think both can serve up saved
storage space.

Also, Im wondering if anyone has tried applying the idea of the filesystem
map to create the idea of having a "audit log map" -- so that the userland
audit daemon can essentially just follow a map in order to generate every
piece of an audit log.  This map could be based on a few structures or
objects (ie -- user and uid's, files, etc) and are linked based on certain
characteristics.  Tonight I'd like to literally diagram this and see if I
can come to something worth sending to this list.

Another thought I had, relating to saving space on disk, was to save a
"log started time" (LST) and base times for log entries as offsets from
that (LST+N seconds).  

I assume some of the above has been done or thought of before, so if
people are willing to pipe up and share that kind of information, it would
be much appreciated.

I appreciate you sending some logs, thanks.

Cheers,
Andrew

--
Andrew R. Reiter
arr at watson.org
arr at FreeBSD.org

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message

More information about the trustedbsd-audit mailing list