Re: [Fed-Talk] Audit Explorer
Re: [Fed-Talk] Audit Explorer
- Subject: Re: [Fed-Talk] Audit Explorer
- From: Todd Heberlein <email@hidden>
- Date: Fri, 08 Apr 2011 09:14:58 -0700
> Also apparently only available in the Mac App store. Does that deny machines
> that are actually running under NISPOM (closed environment without access to
> the public internet) and any machines earlier than 10.6.6?
Fed-Talk folks,
I can send a copy that won't require Mac App Store connectivity; I think it should also run on earlier version of Snow Leopard too. Just let me know if it is OK and I'll email you a zip file.
Just promise you will only install it on a few machines at this time for testing (scouts honor thing). Once we've pounded out a few more bugs and added back some of the missing features, we can figure out a better distribution method for non-Internet connected machines, people on government accounts, etc.
I don't know if I mentioned this, but (besides bug fixes) the primary functionalities I plan to add for 1.1 are:
1) Save analysis results to a file (which are much, much smaller than the original audit trail)
2) command-line option to it can be run automatically by a cron or launchd job (e.g., at midnight, or at boot)
That way you can have the software running on regular user machines and servers and have the results sent to a central sys-admin.
Then after that (~version 1.2) we will have software that will let you stuff the results in a database. For example, if you already have a database with your other sensor logs, you can just add a handful of tables for the audit trail results. That way you could take a firewall or IDS event and and automatically pull up the Process Details for the process that generated that connection. But one step at a time...
I've also had a couple of feature requests emailed to me I'll try to integrate into the next release. Please continue to send any problems and request my way.
Todd
PS. Over the weekend I will post more documentation, Flash versions of the videos, and fix any CSS problems with the web pages in other browsers.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden