Re: Decoding BSM audit trail

Aziz MOUNJI (amo@info.fundp.ac.be)
Mon, 9 Oct 1995 11:37:53 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christopher Klaus: "Announcement: Alert Mailing List"
Previous message: Steve Smaha: "Re: Decoding BSM audit trail"
Maybe in reply to: Aziz MOUNJI: "Decoding BSM audit trail"
Next in thread: Aziz MOUNJI: "Re: Decoding BSM audit trail"

Hi Birk,

	thanks very much for your reply.

> Hi,
> 
> You will find the information to the BSM Audit Trail in the HandBook:
> "Solaris SHIELD Basic Security Module".
> 

I already read the entire stuff, but could not find the answer to my 
question. 

> 
> An audit record is build by audit tokens.

I read the audit_record.h (under /usr/include/bsm) but only found the
C declaration for the TOKENS (au_arg_tok_t, au_attr_tok_t, ... etc). 
What I am (desperately) looking for is the C declaration of an entire
audit record. What is explained in "Solaris SHIELD Basic Security Module" is
the logical structure of the various types of audit records. Also, I would
like to know what is the meaning of the previous and next in 
the declaration below (from /usr/include/bsm/audit_record.h):

struct au_token {
	char id;
	struct au_token *next;
	struct au_token *prev;
	char *data;		/* which data, the tokens ???? */
	u_short size;		/* of entire record, token, the rest ???*/ 
	union {
		au_arg_tok_t arg;
		au_attr_tok_t attr;
		au_data_tok_t data;
		au_exit_tok_t exit;
		au_file_tok_t file;
		au_groups_tok_t groups;
		au_header_tok_t header;
		au_inaddr_tok_t inaddr;
		au_ip_tok_t ip;
		au_ipc_perm_tok_t ipc_perm;
		au_ipc_tok_t ipc;
		au_iport_tok_t iport;
		au_invalid_tok_t invalid;
		au_opaque_tok_t opaque;
		au_path_tok_t path;
		au_proc_tok_t proc;
		au_ret_tok_t ret;
		au_server_tok_t server;
		au_seq_tok_t seq;
		au_socket_tok_t socket;
		au_subj_tok_t subj;
		au_text_tok_t text;
		au_trailer_tok_t trailer;
	} un;
};
typedef struct au_token au_token_t;

Does it mean that the tokens form a chained list ? 
It's really unclear and confusing things. Can you provide further explanations.

> There is a program named "praudit". It converts the binary audit trail in
> a human readable format - slowly.
> 
> One easy solution for your problem is, actuall used by us, the follow:
> 
>      praudit | your_transformer
> 
> Warning, it's _verry_ slow!!!!
> 

Oh yes, it is much more efficient to plug *directly* into the binary audit
trail and transform it. But, eh, I need the binary specs of this.

Thanks again, if you have further explanations, it would be most appreciated.

Cheers, Aziz.

 --------------------------+-------------------------------------
| Abdelaziz Mounji	   |	amo@info.fundp.ac.be             |
| ASAX project		   |	http://www.info.fundp.ac.be/~amo |
| Institut d'Informatique  |	voice: +32 81 724987             |
| University of Namur  	   |	Fax  : +32 81 724967             |
 ----------------------------------------------------------------	

-- 
+---------------------+--------------------------------------------------+
|  ____       ___     | Justin Lister                 ruf@cs.uow.edu.au  |
| |    \\   /\ __\    |     Center for Computer Security Research        |
| | |) / \_/ / |_     | Dept. Computer Science      voice: 61-42-214-330 |
| |  _ \\   /| _/     | University of Wollongong      fax: 61-42-214-329 |
| |_/ \/ \_/ |_| (tm) |     Computer Security a utopian dream...         |
|                     |  LiNuX - the only justification for using iNTeL  |
+---------------------+--------------------------------------------------+

Next message: Christopher Klaus: "Announcement: Alert Mailing List"
Previous message: Steve Smaha: "Re: Decoding BSM audit trail"
Maybe in reply to: Aziz MOUNJI: "Decoding BSM audit trail"
Next in thread: Aziz MOUNJI: "Re: Decoding BSM audit trail"