Week 2 / Non-BSM to BSM Conversion Tools / Problems with mapping and NFS

Mateusz Piotrowski 0mp at FreeBSD.org
Mon Jun 6 02:45:24 UTC 2016 

Hello,

Mapping
=====
I read some contrib/openbsm source code to get the idea of how I should implement the conversion from the Linux Audit format to the BSM format. 

It turns out it is a little bit more complicated than I thought at the beginning. It is not obvious to me yet how I should map the Linux Audit format to the BSM format. 

On one hand I can try to map as many Linux Audit audit fields to the BSM fields as possible; it seems to be rather troublesome. On the other hand I can ignore the whole mapping issue and just create a proper BSM trail using the header token, trailer token and a bunch of arbitrary data tokens to pack all the Linux audit events there. 

The best approach would be something in the middle I guess. I wasn’t able to come up with a neat solution on my own yet however; I’ve got to present my research to my mentor and ask for advice since I’m stuck.

Here’s an email I’ve sent to freebsd-hackers@ where I asked for help with understaing how the /etc/security/audit_event file works (https://lists.freebsd.org/pipermail/freebsd-hackers/2016-June/049550.html <https://lists.freebsd.org/pipermail/freebsd-hackers/2016-June/049550.html>). I didn’t receive any answer yet.


Parsing
=====
I felt a little bad about the fact that I’ve not wrote a single line of code yet. This is why I decided to start writing a parser for the Linux Audit trails. I’ve got to ask my mentor if it wouldn’t be smarter if I adopt the code which parses Linux Audit trails since it is already written (http://people.redhat.com/sgrubb/audit/audit-parse.txt <http://people.redhat.com/sgrubb/audit/audit-parse.txt>).


NFS
=====
My mentor suggested me to set up FreeBSD with NFS. I tried really hard to get it working. My virtual machine fails to boot basically. I created a step-by-step tutorial for future reference: https://github.com/0mp/freebsd/wiki/Set-up-FreeBSD-with-NFS <https://github.com/0mp/freebsd/wiki/Set-up-FreeBSD-with-NFS>. It is mainly based on the oshogbo’s tutorial (http://oshogbo.vexillium.org/blog/28/ <http://oshogbo.vexillium.org/blog/28/>). 

I’ll update the tutorial as soon as I fix my NFS.


New repository
=====
I have a new repository: https://github.com/0mp/freebsd <https://github.com/0mp/freebsd>.


Midterm evaluation is coming
=====
Hopefully, I’ll manage to catch up with at least some of my milestones which I planned to reach before the midterm evaluation. I simply cannot work full-time on my GSoC project due to the exams coming soon.


Outdated Wiki
=====
I didn’t update my Wiki page in a while because I’m struggling with the mapping issue. The link to the project’s Wiki: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools>.


Cheers!

-Mateusz

More information about the soc-status mailing list