From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Matteo Michelini" <matteo.michelini@gmail.com>
Subject: Re: get_field_str() and interpret_field() bug with multi-word fields
Date: Fri, 15 Aug 2008 17:27:42 +0200
Message-ID: <87ba673d0808150827s1e7464a6nc8fe4c8e044bbe5e@mail.gmail.com>
References: <0E43BF2D7491F0468B56B1A5C493866B020DD0F1@SAT4MX07.RACKSPACE.CORP>
	<1218738325.29535.85.camel@moss-spartans.epoch.ncsc.mil>
	<87ba673d0808150658v7ce2f764s72b517c9dedfc4b6@mail.gmail.com>
	<200808151010.49602.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7FFSN4d012132
	for <linux-audit@redhat.com>; Fri, 15 Aug 2008 11:28:23 -0400
Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.169])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m7FFRhvU027753
	for <linux-audit@redhat.com>; Fri, 15 Aug 2008 11:27:43 -0400
Received: by wf-out-1314.google.com with SMTP id 25so928881wfc.6
	for <linux-audit@redhat.com>; Fri, 15 Aug 2008 08:27:42 -0700 (PDT)
In-Reply-To: <200808151010.49602.sgrubb@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, Bret Piatt <bret.piatt@rackspace.com>
List-Id: linux-audit@redhat.com

2008/8/15, Steve Grubb <sgrubb@redhat.com>:
> On Friday 15 August 2008 09:58:54 Matteo Michelini wrote:
>> I'm working on a binary format for the linux-audit system as part of a
>> university research project.
>
> Big-endian/little-endian in aggregated logs? Will the kernel authors allow
> the
> encoder in the kernel? XDR was the only option we had last time. Versioning
> of structs? How do old user space tools work with new kernel that may change
> layout? Patents?
>
I must design and implement something that is really close to the
FreeBSD BSM implementation, because in userspace we have a tool (an
IDS) that works with BSM trails format only.
I'm designing the patch with the big-endian encoding format.
My idea is only to add this capability to the existing text-based format.
The FreeBSD BSM implementation is BSD License..

> -Steve
>


-- 
Matteo Michelini (Milan - Italy)
http://www.michelini.co.uk
Linux registered user: #332873