Receiving Linux Audit trails with auditdistd
The aim of this project is to develop a solution, which enables receiving audit trails, generated by the Linux Audit subsystem, with the auditdistd daemon running on FreeBSD.
Hit Comments in the Edit Bar to see other solutions and notes, which are otherwise hidden for readability.
- Modify auditdistd so that it could be used directly as an plugin for audispd (Linux Audit plugins receive logs through the standard input).
- One less program involved in the process of sending logs.
- Auditdistd code adaptation and modification, which is a very similar solution to the original idea of creating a brand new Linux Audit plugin capable of communicating with auditdistd running on FreeBSD.
#II-5 Set up an environment with Linux and FreeBSD.
- For the time being I'm using Vagrant for that.
#II-1 Provide a shell script to add files required by auditdistd to run.
#II-11 Port proto files to Linux.
#II-9 Find a Linux alternative to the proto library used by auditdistd.
Search under linux socket networking library.
#II-10 Try to separate proto files and pjdlog fiels from auditdistd into separate libraries.
- If there is a Linux alternative to libproto, then use it in the Linux port of auditdistd.
#II-6 Make a connection between Linux auditdistd and FreeBSD auditdistd.
- Also while here:
#II-7 Explain the segfault on Linux when killing auditdistd with SIGINT.
#II-8 Explain why FreeBSD auditdistd prints [ERROR] [TLS sandbox] (server) SSL I/O error., when Linux auditdistd is trying to establish a connection over the internal audidistd protocol with it.
-The auditdistd code has never been tested on Linux-based systems. As a result some ifdefs might be misplaced, especially those controlling various sandboxing technologies like Capsicum.
- It it not the problem of ifdefs.
- The whole issue might be irrelevant.
- Also while here:
#II-2 Add a thread capable of doing the job of auditd.
References & notes
IRC channel: Freenode/#openbsm
- Old P4 (Perforce) repositories with a lot of very old commits from the beginnings of OpenBSM. There's a lot of information to be found in those commit messages: