RE: [Fed-Talk] improving bsm auditing's signal to noise ratio
RE: [Fed-Talk] improving bsm auditing's signal to noise ratio
- Subject: RE: [Fed-Talk] improving bsm auditing's signal to noise ratio
- From: "Valentine, Ruth Ann B." <email@hidden>
- Date: Tue, 29 Apr 2008 09:29:21 -0400
- Thread-topic: [Fed-Talk] improving bsm auditing's signal to noise ratio
I, too have navigated the apple audit quagmire. I have a little shell
script that I wrote that cuts out the events of interest and then cuts
out the extra stuff and just reports things like usera logged on
at..... Userb accessed an external disk at.... And flags night and
weekend use, etc.
I will see if I can release it.
I learned what needed to be audited by trial and error when I first
configured the machine. I had to create some dummy users to test the
password expiration and things like that, so I was able to find the
code words in the praudit output that mapped to these events.
If you know grep and cut, you can probably roll your own.
Ruth Ann
-----Original Message-----
From: fed-talk-bounces+ruthann=email@hidden
[mailto:fed-talk-bounces+ruthann=email@hidden] On Behalf
Of Dan O'Donnell
Sent: Monday, April 21, 2008 11:51 AM
To: email@hidden
Cc: email@hidden
Subject: Re: [Fed-Talk] improving bsm auditing's signal to noise ratio
Marty,
I'm working on a solution for this problem, but it's too early yet to
put it out into the community. (Still in early stages of design and
development.)
Best,
Dan O'Donnell
--
Dan O'Donnell
ISSO
RAND Corporation
1776 Main St.
PO Box 2138
Santa Monica CA 90407-2138
310-393-0411 x6637
email@hidden
email@hidden
On 4/17/08 12:05 PM, "email@hidden"
<email@hidden> wrote:
> Message: 1
> Date: Thu, 17 Apr 2008 09:16:20 -0400
> From: Marty Boegner <email@hidden>
> Subject: [Fed-Talk] improving bsm auditing's signal to noise ratio
> To: email@hidden
> Message-ID: <email@hidden>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> Greetings all, I'm new to the list and this is my first mailing to
the
> group.
>
> I searched the fed-talk mailing list archive for the terms below
> before deciding to post here, and received 0 results:
>
> sysctl
> ptrace
> recvmsg
>
> These three terms show up a lot in the BSM auditing logs. I'm looking
> for a resource that will help me decode the output of the praudit
> command. I'm using scripts now to get this:
>
>> <snip>
>> header,221,1,chmod(2),0,Fri Apr 11 10:25:27 2008, + 352 msec
>> argument,2,0x1c0,new file mode
>> path,/private/var/audit/to-be-reviewed/macsetup
>> path,/private/var/audit/to-be-reviewed/macsetup
>> attribute,40755,root,admin,234881026,0,0
>> subject,root,root,wheel,root,wheel,461,68,50331650,0.0.0.0
>> return,success,0
>> trailer,221
>> header,94,1,sysctl(3),0,Fri Apr 11 10:25:27 2008, + 359 msec
>> argument,1,0,name
>> argument,1,0x3,name
>> subject,root,root,wheel,root,wheel,462,68,50331650,0.0.0.0
>> return,success,0
>> trailer,94
>> header,94,1,sysctl(3),0,Fri Apr 11 10:25:27 2008, + 360 msec
>> argument,1,0,name
>> argument,1,0x3,name
>> subject,root,root,wheel,root,wheel,462,68,50331650,0.0.0.0
>> return,success,0
>> trailer,94
>> </snip>
>
> into this:
>
>> root on macsetup successful change permission on /private/var/
>> audit/to-be-reviewed/macsetup on Fri Apr 11 10:25:27 2008 ****
>> root on macsetup successful sysctl(3) on Fri Apr 11 10:25:27
>> 2008 ****
>> root on macsetup successful sysctl(3) on Fri Apr 11 10:25:27
>> 2008 ****
>
> but the S/N ratio is still abysmal.
>
> Is there such a resource that will let me know what sysctl|ptrace|
> recvmsg events are? I maintain systems that need to be NISPOM
> compliant, and this is a standard log review duty. What are others
> list members doing? And can you point me to any documentation?
>
> Thanks in advance.
>
>
> M a r t y
>
> _______________________________________________________
>
> Martin Boegner Jr.
> NSTD/STL
> The Johns Hopkins University Applied Physics Laboratory
> 11100 Johns Hopkins Road, Laurel, MD 20723-6099
>
> _______________________________________________________
_______________________________________________________________________
___
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all
copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden