Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Audit journal to MySQL database to PDF report
101 views
Skip to first unread message
Arne Vajhøj
Apr 16, 2023, 10:30:21 AM4/16/23
to
https://www.vajhoej.dk/arne/articles/vmstd7.html
has some examples showing how audit journal to MySQL database
to PDF report can be done on VMS.
Arne
has some examples showing how audit journal to MySQL database
to PDF report can be done on VMS.
Arne
plugh
Apr 16, 2023, 6:01:57 PM4/16/23
to
I don't want to hijack this thread, so I'm posting a related message.
plugh
Apr 16, 2023, 6:29:05 PM4/16/23
to
On Sunday, April 16, 2023 at 7:30:21 AM UTC-7, Arne Vajhøj wrote:
Beyond that, the audit journal has what's necessary to generate a response for many ossec event handling services such as file and process monitoring, integrity checking.
plugh
Apr 16, 2023, 6:43:05 PM4/16/23
to
On Sunday, April 16, 2023 at 3:29:05 PM UTC-7, plugh wrote:
> It looks like all audit records are based on the DECnet architecture; which means there will have to be a way to get an IP address from the DECnet node.
> Beyond that, the audit journal has what's necessary to generate a response for many ossec event handling services such as file and process monitoring, integrity checking.
Thinking about it further, any such translation would be coddling ossec in that I'm /pretty/ sure it wants objects to block identified either by IP V4 or V6 addresses. DECnet demonstrates a faulty ossec architectural design in that respect. After all, the response will run only on the ossec agent generating the event; there's no need for the ossec server to grok the network id that the agent transmits. It's up to the agent to handle the response if it's warranted; which decision occurs on the server. There's no reason the server event management logic should impose an IP address domain requirement. The upshot of this observation is that the XML ossec rule definition DTD contains tags whose interpretation (ossec actions at runtime) can't be a DECnet node name. I'll have to follow up on this, but I'm pretty sure that's the case.
> It looks like all audit records are based on the DECnet architecture; which means there will have to be a way to get an IP address from the DECnet node.
> Beyond that, the audit journal has what's necessary to generate a response for many ossec event handling services such as file and process monitoring, integrity checking.
Additionally, ossec relies a lot on regular expressions to trigger rule selection. DECnet object ids and IP V6 addressess both contain the ":::" string
Arne Vajhøj
Apr 16, 2023, 6:48:08 PM4/16/23
to
On 4/16/2023 6:01 PM, plugh wrote:
> On Sunday, April 16, 2023 at 7:30:21 AM UTC-7, Arne Vajhøj wrote:
>> https://www.vajhoej.dk/arne/articles/vmstd7.html
>>
>> has some examples showing how audit journal to MySQL database
>> to PDF report can be done on VMS.
>
> On Sunday, April 16, 2023 at 7:30:21 AM UTC-7, Arne Vajhøj wrote:
>> https://www.vajhoej.dk/arne/articles/vmstd7.html
>>
>> has some examples showing how audit journal to MySQL database
>> to PDF report can be done on VMS.
>
> I take it that's follow-up on ossec?
Actually it was triggered by this one:
https://forum.vmssoftware.com/viewtopic.php?f=8&p=18184
> Very interesting.
I will have to look at it more closely, thanks!
Arne
Arne Vajhøj
May 3, 2023, 1:13:44 PM5/3/23
to
similar stuff for accounting data.
Actually less code, but the PDF report contains graphics
this time.
:-)
Arne
0 new messages