Hi all,
I've put beta versions of the BSM audit trail analysis tools "Audit Explorer" and "AE Filter Editor" up if anyone would like to help test them out for me. Besides bug fixes, I am always interested in feature requests or other changes.
Audit Explorer has a number of new features including a command line tool that lets you automatically run the program as part of a shell script or launchd service. You can also direct the command line tool to automatically upload the processed analysis files to a centralized web/audit server. Shortly I'll be posting the PHP script I use to accept the analysis results on my internal web server. Audit Explorer also supports filters to look for key events, and you can supply custom filters if you would like.
And "AE Filter Editor" is the editor for writing custom filters for Audit Explorer.
No access to the Internet such as the Mac App Store is needed and there are no DRM checks, so you can run the programs on an isolated network.
I've also put the application's "Help" documentation online (just raw HTML) if you want to look it over before downloading the DMG. (see links below)
Any help or feedback you can provide is appreciated.
Thanks,
Todd
PS. The first thing you will learn is that Google's Chrome is really, really noisy. It is constantly running programs from non-standard locations and modifying its code in /Applications. I still need to customize the filters to screen out these events.
PPS. I've been primarily focused on Snow Leopard. I've started analyzing Lion audit trails on my Snow Leopard machine, and I've noticed a few oddities in the audit data I need to address.
---------------------------------- Audit Explorer
Documentation:
Disk Image:
---------------------------------- AE Filter Editor
Documentation:
Disk Image:
Note: Currently, if you've edited a document you must remember to save it before you quit. The program won't prompt you to save it when you quit.
|