Snagg in progress

Here you can find my patch for auditpipe. If you ever have the chance to try it, please let me know. Feel free to  mail me for comments, suggestions and bug-fixes. 

Hi,I’ve just finished with the kernel part of my project. I’ve introduced some new features to auditpipe. Specifically, it’s now possibile to set up a trail which will trace by pid or by an events’ list associated to a specific pid. To specify which of the tracing capability you’d like to have in your trail you just have to select it with ioctl. Now it’s also possible to retrieve information about pid and events for a specific trail. To manage the events array I’ve used qsort to sort in ascending order the array and binary search to performe searches for specific events. If you like to see the code you’ll find it in my perforce repository.From now on I will mainly focus on regression tests. When I have something done, I’ll leave a post here. 

I’ve just finished to upload the code onto my perforce branch. At the moment the whole code is ready for testing, which means that, now, should be possibile to audit events one-by-one. Specifically I’ve added some functionalities to audit_pipe_ioctl which allow to do the same operation done before but on events list instead of audit classes. Also all the functions needed to manage the events list were made up. The audit_pipe_preselect structure was modified, adding a pid field and a dynamic array of structs which hold the events’ list.  The KPI now has two new prototype for audit_pipe_preselect and audit_pipe_submit in order to allow event matching by pid. As soon as the testing period is finished maybe new features will be added. All the code could be found on my perforce branch. I’d really appreciate if anyone willing to help will test the code and give me some feedback. Also please note that the whole code is in a really alpha-stage.That’s all folks,Snagg 

Hi all,I’m Vincenzo Iozzo, currently I’m studying computer engineering at the Politecnico di Milano. I also work for Secure Network srl. And in the spare time I do some research for my university. I’m mainly involved in IT Security.   Now, after this brief presentation, I’d like to spend a few words on my project for this Summer Of Code.  I will modify the FreeBSD auditpipe support in order to provide more granularity while auditing syscalls. In fact, at the present time, your choice on what to audit is limited to default classes. With my patch it would be possible to select every syscall by its own. The second half of the project will consist of creating a framework for testing the correct behavior of the auditing system and, if needed, patching it.Finally the whole auditing system will be checked in order to see whether or not is vulnerable at some anti-forensics techiniques.  Here you can find a detailed description of the first part of the project.Snagg