sample 5.3 based trusted os ;-)

[Robert Watson]

On Fri, 21 Jan 2005, Chris Wright wrote:

> * Martin Englund (Martin.Englund at Sun.COM) wrote:
> > chrisw at osdl.org wrote:
> > 
> > > I'm interested as well.  The Linux effort currently records the name
> > > used to get at the file object, as well as inode number and device that
> > > it resolves to.
> > >
> > And which audit trail format are you using? And where's your project page :)
> 
> AFAIK, it's homespun.  There isn't a project page.  Just source tree and
> list archives.  We'd have to translate to BSM before BSM based tools
> would work. 

FYI, internally the Apple (and now FreeBSD) audit implementation uses a
non-BSM in-kernel data structure to represent an audit record, and then we
translate to BSM before committing the record to disk (also in-kernel). 
It may make sense for us to switch to BSM generation from inception, but
when we began the Darwin implementation, we wanted to avoid committing to
a record format prematurely.  That said, BSM is both an obvious and a
reasonable choice, as it's portable, flexible, and extensible.

Apple's libbsm may be a useful starting point for any conversion library,
as it's licensed under a 2-clause BSD license (so could be LGPL'd/GPL'd if
desired).  Apple has a pretty convenient tarball up on their Darwin open
source web page, and shortly we'll be importing it into the FreeBSD source
tree for inclusion in 6.x (and hopefully 5.4, if we can get the rest of
the infrastructure in place over the next couple of months).  The Apple
code includes a generation and parsing library, and implementations of
basic, if somewhat limited, command line printing and reduction tools.  If
there is interest in the Linux community, I think maintaining a common
source base would make a lot of sense...

Robert N M Watson


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message