-Add support for larger set sizes (for group/user specifications)
-Add the ability to pass the effective uid to a trigger
-Fixed bug which resulted in "status" being ignored for single
state sequences
-Added support for logging channels.
-Added support for state triggers.
-Fixed bug where alerts were being produced for state machines
that have been expired. (Alerts have already been generated).
-Fixed two memory leaks which could really impact systems with high
volumes audit records.
Approved by: wxs
Reviewed by: alm (maintainer)
1.1.0 fixes a pretty serious bug which resulted in BSM records without
pathname tokens being processed in some cases.
Additionally, timeout-window and timeout-probability features were added
to allow people defining sequences with timeouts to add an element of
randomness to the timeout, in theory making it more difficult for people
to attack.
timeout 60;
timeout-window 10;
timeout-probability 65;
Basically equates to:
"This sequence should timeout in a random amount of time, where the
probability of the timeout being from 60-70 is 65%"
It should be noted that there is a probability of 35% that the value will
be completely random. So naturally, the lower the timeout-probability, the
more random the timeout will be.
Approved by: tmclaugh
bsmtrace is a audit driven host based intrusion detection system which
operates on finite state machine principles. Since it's audit driven,
it requires that operating system security auditing be enabled. This
requires FreeBSD 6.2 at a minimum. By default it provides real-time
analysis through the use of an audit pipe, however it can operate on
regular audit trail files as well.
Approved by: Pav
Reviewed by: Pav (and others)
