FreeBSD › freebsd-security

OpenBSM: does somebody work on it?

Classic

List

Threaded

8 messages Options

Lev Serebryakov

OpenBSM: does somebody work on it?

Hello, Freebsd-security.

I'm trying to use audit, and has some problems. First one is
impossiblity to create custom event class, and second one I hit is
with auditreduce(1)

auditreduce doesn't filter events by date (-b/-a/-d options with any
arguments produces empty output), it doesn't merge files properly and
doesn't pick up files automagically, as Solaris' one does. It doesn't
have -C/-M/-O functionality of Solaris' one, too. So, proper merging
of audit trial files seems to be impossible :(

I could try to fix & extend auditreduce(1), but does somebdy but me
need it?

Does somebody use audit on FreeBSD on production systems?

--
// Black Lion AKA Lev Serebryakov <[hidden email]>

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"

Patrick Proniewski

Re: OpenBSM: does somebody work on it?

On 29 juin 2011, at 12:59, Lev Serebryakov wrote:

> auditreduce doesn't filter events by date (-b/-a/-d options with any
> arguments produces empty output), it doesn't merge files properly and
> doesn't pick up files automagically, as Solaris' one does. It doesn't
> have -C/-M/-O functionality of Solaris' one, too. So, proper merging
> of audit trial files seems to be impossible :(
>
> I could try to fix & extend auditreduce(1), but does somebdy but me
> need it?
>
> Does somebody use audit on FreeBSD on production systems?

I do, almost (I've not finished my settup, but I'm auditing a production server).
May be you'll find this interesting: http://forums.freebsd.org/showthread.php?t=23716#9

patpro

Stacey Son

Re: OpenBSM: does somebody work on it?

In reply to this post by Lev Serebryakov

On Jun 29, 2011, at 5:59 AM, Lev Serebryakov wrote:

> Hello, Freebsd-security.
>
> I'm trying to use audit, and has some problems. First one is
> impossiblity to create custom event class, and second one I hit is
> with auditreduce(1)
>
> auditreduce doesn't filter events by date (-b/-a/-d options with any
> arguments produces empty output), it doesn't merge files properly and
> doesn't pick up files automagically, as Solaris' one does. It doesn't
> have -C/-M/-O functionality of Solaris' one, too. So, proper merging
> of audit trial files seems to be impossible :(
>
> I could try to fix & extend auditreduce(1), but does somebdy but me
> need it?
>
> Does somebody use audit on FreeBSD on production systems?

FYI, a better place to discuss this would be the trustedbsd-audit mailing list. There are quite of few people that use OpenBSM in production on FreeBSD and Mac OS X that hang out on that list usually.

Regards,

-stacey._______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"

Lev Serebryakov

Re: OpenBSM: does somebody work on it?

In reply to this post by Patrick Proniewski

Hello, Patrick.
You wrote 29 июня 2011 г., 16:26:44:

> I do, almost (I've not finished my settup, but I'm auditing a production server).
> May be you'll find this interesting:
> http://forums.freebsd.org/showthread.php?t=23716#9
It seems, even system ftpd doesn't use setaudit() :(

--
// Black Lion AKA Lev Serebryakov <[hidden email]>

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"

Patrick Proniewski

Re: OpenBSM: does somebody work on it?

On 29 juin 2011, at 16:23, Lev Serebryakov wrote:

> Hello, Patrick.
> You wrote 29 июня 2011 г., 16:26:44:
>
>> I do, almost (I've not finished my settup, but I'm auditing a production server).
>> May be you'll find this interesting:
>> http://forums.freebsd.org/showthread.php?t=23716#9
> It seems, even system ftpd doesn't use setaudit() :(

as long as it uses login to log users into the system, I don't think it needs to use setaudit(). But I'm no BSM guru at all :)
The audit system starts auditing a user as soon at he(r) logs in on the system.
I'll give ftpd a try if I have some spare time.

patpro

Robert Watson

Re: OpenBSM: does somebody work on it?

In reply to this post by Stacey Son

On Wed, 29 Jun 2011, Stacey Son wrote:

>> I'm trying to use audit, and has some problems. First one is impossiblity
>> to create custom event class, and second one I hit is with auditreduce(1)
>>
>> auditreduce doesn't filter events by date (-b/-a/-d options with any
>> arguments produces empty output), it doesn't merge files properly and
>> doesn't pick up files automagically, as Solaris' one does. It doesn't have
>> -C/-M/-O functionality of Solaris' one, too. So, proper merging of audit
>> trial files seems to be impossible :(
>>
>> I could try to fix & extend auditreduce(1), but does somebdy but me need
>> it?
>>
>> Does somebody use audit on FreeBSD on production systems?
>
> FYI, a better place to discuss this would be the trustedbsd-audit mailing
> list. There are quite of few people that use OpenBSM in production on
> FreeBSD and Mac OS X that hang out on that list usually.

Hi Lev:

Just catching up on back e-mail, and bumped into this thread. Did you file
PRs for these bugs? As Stacey mentions, the trustedbsd-audit mailing list is
where most discussion of OpenBSM takes place. It's generally pretty quiet,
but there are quite a few people using audit in production, and I'm sure
they'd appreciate bug reports (and even fixes!).

Robert
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"

Patrick Proniewski

Re: OpenBSM: does somebody work on it?

On 17 juil. 2011, at 12:14, Robert Watson wrote:

> Just catching up on back e-mail, and bumped into this thread. Did you file PRs for these bugs? As Stacey mentions, the trustedbsd-audit mailing list is where most discussion of OpenBSM takes place. It's generally pretty quiet, but there are quite a few people using audit in production, and I'm sure they'd appreciate bug reports (and even fixes!).

The trusted BSD project web site looks like it has not been updated since 2009, and mailing lists archives stop at january 2007. That's nice to read they are still alive. But where are the archives then?

patpro

Robert Watson

Re: OpenBSM: does somebody work on it?

On 17 Jul 2011, at 12:09, Patrick Proniewski wrote:

> On 17 juil. 2011, at 12:14, Robert Watson wrote:
>
>> Just catching up on back e-mail, and bumped into this thread. Did you file PRs for these bugs? As Stacey mentions, the trustedbsd-audit mailing list is where most discussion of OpenBSM takes place. It's generally pretty quiet, but there are quite a few people using audit in production, and I'm sure they'd appreciate bug reports (and even fixes!).
>
> The trusted BSD project web site looks like it has not been updated since 2009, and mailing lists archives stop at january 2007. That's nice to read they are still alive. But where are the archives then?

The web site could definitely use an update.

The mailing list archives have been broken for several years, despite pings of postmaster. I've CC'd the postmaster in this e-mail as well to see if we can get this fixed?

(I have local copies of all the mail as well, if we need a new mbox to import?)

Robert

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[hidden email]"