The Audit Record Framework (ARF) is part of the Bandit Project. ARF provides an application and system instrumentation library written in the C programming language. The ARF audit instrumentation library allows developers to instrument their applications to emit rich structured events suitable for use by security analysis tools. The audit event stream can be configured through an XML policy file to be sent to one or more audit servers. The back-end wire protocol is the syslog-conn wire protocol documented in RFC 3195. The data model used by ARF is the OASIS WSDM Event Format (WEF).
Project highlights, architecture, use cases, and other ARF documentation and resources can be found at the ARF main page on the Bandit Project site.
ARF Version 0.1 is the latest. Download arf-0.1.32.tar.bz2 Please see Release 0.1 notes below.
This version is functional, but has a lot of rough edges. No defects that I'm aware of, but the implementation is a bit rough. This version supports the ARF-WEF interface (what the bandit site refers to as "the ARF Level 1a interface"). For this reason, it's still not as useful for audit instrumentation as we'd like, but it shows the concepts. Audit instrumentation will be available in Release 0.2, where we'll implement the ARF Level 1b interface.
Another issue with this release is that the event stream is implemented to write to the syslog interface on POSIX systems, and to the kiwi-syslog client library on Windows. While this isn't an inherently bad architecture, there are minor issues with it that we'd like to address in the next release. POSIX syslog is not handle-based, but process based. Thus, a process may only open one event stream using this implementation. The ARF interface allows for multiple event streams, but syslog forces us to return a non-functional handle value. The handle manages things alright, but you may only open one per process. The kiwi-syslog client library, while being handle-based, has it's own problems. Ultimately, we'd like to implement the syslog protocol within the ARF event stream. It will be configured with policy in ARF configuration files - per application, and global.
NOTE: This is a SOURCE release only. Binary releases will be added as we get automated nightly builds going.
| development | - | 2006-08-03 |
| release | - | 2006-08-03 |
Browsing the Subversion tree gives you access to this project's shared source code and files. You may also view the complete histories of any file in the repository.
| Name | Position |
| Jcalcote | Administrator |
| 2008-03 | Total | |
|---|---|---|
| 1 | 1 |
| User | Total |
|---|---|
| 0 |
© 2008 Novell, Inc. All Rights Reserved.
