New development
Timothy R. Chavez
tinytim at us.ibm.com
Mon Sep 12 20:00:53 UTC 2005
On Monday 12 September 2005 14:38, Dustin Kirkland wrote:
<snip>
>. Perhaps after this patch is integrated, the binary record to-do
> sounds interesting to me...
>
>
>
> :-Dustin
>
So we have talked about this in the past and it was indeed slated for EAL4, but was dropped in
favor of plaintext. This is a good place to start,
http://www-aix.informatik.uni-tuebingen.de/doc_link/en_US/a_doc_lib/aixprggd/progcomc/ch4_xdr.htm
I'm partial to using XDR as it's already in the kernel (net/sunrpc/xdr.c) and addresses, by design,
some of the nasty issues that surface when using a binary record format (ie: 32-bit vs. 64-bit).
We're also going to want to converge on a set of standard tokens and some have suggested we
go with the (Basic Security Module) BSM set of audit tokens. Here's a good paper here on this
subject,
http://72.14.207.104/search?q=cache:wXnO2bVvxiMJ:dependability.cs.virginia.edu/bibliography/19070001.pdf+Better+Logging+Through+Formality&hl=en
(Looks like the original PDF was removed)
And it's worth checking out the TrustedBSD implementation...
http://fxr.watson.org/fxr/source/bsm/?v=TRUSTEDBSD-AUDIT3
-tim
More information about the Linux-audit
mailing list