• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
[Fed-Talk] improving bsm auditing's signal to noise ratio
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fed-Talk] improving bsm auditing's signal to noise ratio

  • Subject: [Fed-Talk] improving bsm auditing's signal to noise ratio
  • From: Marty Boegner <email@hidden>
  • Date: Thu, 17 Apr 2008 09:16:20 -0400
Greetings all, I'm new to the list and this is my first mailing to the group.

I searched the fed-talk mailing list archive for the terms below before deciding to post here, and received 0 results:

sysctl
ptrace
recvmsg

These three terms show up a lot in the BSM auditing logs. I'm looking for a resource that will help me decode the output of the praudit command. I'm using scripts now to get this:

<snip>
header,221,1,chmod(2),0,Fri Apr 11 10:25:27 2008, + 352 msec
argument,2,0x1c0,new file mode
path,/private/var/audit/to-be-reviewed/macsetup
path,/private/var/audit/to-be-reviewed/macsetup
attribute,40755,root,admin,234881026,0,0
subject,root,root,wheel,root,wheel,461,68,50331650,0.0.0.0
return,success,0
trailer,221
header,94,1,sysctl(3),0,Fri Apr 11 10:25:27 2008, + 359 msec
argument,1,0,name
argument,1,0x3,name
subject,root,root,wheel,root,wheel,462,68,50331650,0.0.0.0
return,success,0
trailer,94
header,94,1,sysctl(3),0,Fri Apr 11 10:25:27 2008, + 360 msec
argument,1,0,name
argument,1,0x3,name
subject,root,root,wheel,root,wheel,462,68,50331650,0.0.0.0
return,success,0
trailer,94
</snip>


into this:

root on macsetup successful change permission on /private/var/ audit/to-be-reviewed/macsetup on Fri Apr 11 10:25:27 2008 ****
root on macsetup successful sysctl(3) on Fri Apr 11 10:25:27 2008 ****
root on macsetup successful sysctl(3) on Fri Apr 11 10:25:27 2008 **** 

but the S/N ratio is still abysmal.

Is there such a resource that will let me know what sysctl|ptrace| recvmsg events are? I maintain systems that need to be NISPOM compliant, and this is a standard log review duty. What are others list members doing? And can you point me to any documentation?

Thanks in advance.


M a r t y

_______________________________________________________

Martin Boegner Jr.
NSTD/STL
The Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Road, Laurel, MD 20723-6099

_______________________________________________________






_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




    

  • Prev by Date:
Re: [Fed-Talk] VPN for Mac

    • 

  • Next by Date:
[Fed-Talk] useful terminal commands for admins

    • 

  • Previous by thread:
[Fed-Talk] ars technica on securing your Mac

    • 

  • Next by thread:
Re: [Fed-Talk] improving bsm auditing's signal to noise ratio

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •