Re: [Fed-Talk] improving bsm auditing's signal to noise ratio
Re: [Fed-Talk] improving bsm auditing's signal to noise ratio
- Subject: Re: [Fed-Talk] improving bsm auditing's signal to noise ratio
- From: "Dan O'Donnell" <email@hidden>
- Date: Mon, 21 Apr 2008 08:50:46 -0700
- Thread-topic: [Fed-Talk] improving bsm auditing's signal to noise ratio
Marty,
I'm working on a solution for this problem, but it's too early yet to put it
out into the community. (Still in early stages of design and development.)
Best,
Dan O'Donnell
--
Dan O'Donnell
ISSO
RAND Corporation
1776 Main St.
PO Box 2138
Santa Monica CA 90407-2138
310-393-0411 x6637
email@hidden
email@hidden
On 4/17/08 12:05 PM, "email@hidden"
<email@hidden> wrote:
> Message: 1
> Date: Thu, 17 Apr 2008 09:16:20 -0400
> From: Marty Boegner <email@hidden>
> Subject: [Fed-Talk] improving bsm auditing's signal to noise ratio
> To: email@hidden
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> Greetings all, I'm new to the list and this is my first mailing to the
> group.
>
> I searched the fed-talk mailing list archive for the terms below
> before deciding to post here, and received 0 results:
>
> sysctl
> ptrace
> recvmsg
>
> These three terms show up a lot in the BSM auditing logs. I'm looking
> for a resource that will help me decode the output of the praudit
> command. I'm using scripts now to get this:
>
>> <snip>
>> header,221,1,chmod(2),0,Fri Apr 11 10:25:27 2008, + 352 msec
>> argument,2,0x1c0,new file mode
>> path,/private/var/audit/to-be-reviewed/macsetup
>> path,/private/var/audit/to-be-reviewed/macsetup
>> attribute,40755,root,admin,234881026,0,0
>> subject,root,root,wheel,root,wheel,461,68,50331650,0.0.0.0
>> return,success,0
>> trailer,221
>> header,94,1,sysctl(3),0,Fri Apr 11 10:25:27 2008, + 359 msec
>> argument,1,0,name
>> argument,1,0x3,name
>> subject,root,root,wheel,root,wheel,462,68,50331650,0.0.0.0
>> return,success,0
>> trailer,94
>> header,94,1,sysctl(3),0,Fri Apr 11 10:25:27 2008, + 360 msec
>> argument,1,0,name
>> argument,1,0x3,name
>> subject,root,root,wheel,root,wheel,462,68,50331650,0.0.0.0
>> return,success,0
>> trailer,94
>> </snip>
>
> into this:
>
>> root on macsetup successful change permission on /private/var/
>> audit/to-be-reviewed/macsetup on Fri Apr 11 10:25:27 2008 ****
>> root on macsetup successful sysctl(3) on Fri Apr 11 10:25:27
>> 2008 ****
>> root on macsetup successful sysctl(3) on Fri Apr 11 10:25:27
>> 2008 ****
>
> but the S/N ratio is still abysmal.
>
> Is there such a resource that will let me know what sysctl|ptrace|
> recvmsg events are? I maintain systems that need to be NISPOM
> compliant, and this is a standard log review duty. What are others
> list members doing? And can you point me to any documentation?
>
> Thanks in advance.
>
>
> M a r t y
>
> _______________________________________________________
>
> Martin Boegner Jr.
> NSTD/STL
> The Johns Hopkins University Applied Physics Laboratory
> 11100 Johns Hopkins Road, Laurel, MD 20723-6099
>
> _______________________________________________________
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden