BSMpseu 0.1.6 - Pseudonymizer for Solaris Audit Trails

Copyright © 2002, 2003 by Konrad Rieck

BSMpseu

Introduction

BSMpseu pseudonymizes records from Solaris BSM audit trail files. Personal data such as user IDs, group IDs, etc. is replaced with pseudonyms, so that the generated output doesn't reveal private information about the system's users, but still preserves a maximum of integrity and consistency.

BSMpseu has been designed with efficiency and privacy in mind, but doesn't offer cryptographic strong security, as proposed in some research papers, in order to ensure a realistic performance.

* The Solaris logo is a registered trademark or trademark of Sun Microsystems, Inc.


Changes

Version Date Changes
0.1.6 2003-01-30 Added support for Solaris 8 and 9 systems running a 32 bit kernel.
0.1.5 2003-01-03 - Fixed a bug in gid pseudonymizing
- Fixed consistency problem in command line options
- Updated manual page
0.1.4b 2002-12-13 Initial beta release


Downloads

Source packages
Release Source Package Size
BSMpseu 0.1.6 bsmpseu-0.1.6.tar.gz 90kb
BSMpseu 0.1.5 bsmpseu-0.1.5.tar.gz 90kb
BSMpseu 0.1.4b bsmpseu-0.1.4b.tar.gz 90kb


Details

BSMpseu sequentially reads one or more input audit trail files and writes the pseudonymized audit trail to standard output. The input and output audit trail files can be in plain BSM audit or in zlib(3) / gzip(1) compressed format. bsmpseu pseudonymizes a 200MB audit trail file on a plain Sun Ultra 10 in 50 seconds and pseudonymizes and com­ presses the same file within 8 minutes.

Depending on the type of information, the personal data is replaced by random data, cleared/blanked or shifted by a random value. Details are listed below.

User IDs, Group IDs and Process IDs
User IDs, group IDs and process IDs are replaced with unique random values. The same random value is mapped to the same ID to preserve the audit context.

Pathnames
Pathnames are matched against list of pathname prefixes. The suffix of a matched pathname is replaced by unique random characters. The same random characters are mapped to the same pathname suffix. E.g. pathname /tmp/foo/bar matching the prefix /tmp/ is mapped to /tmp/Drs/g/T.

Internet Addresses
Internet addresses beside the local addresses 0.0.0.0 (IPv4) and 0::0 (IPv6) are replaced by random internet addresses within the range 60.0.0.0 - 200.0.0.0. Private, local or public addresses will be treated the same.

Execution Arguments and Environment
Execution arguments and environment are overwritten with space characters. Instead of using this option disable execution arguments and environment using the auditcon­ fig(1M).

Timestamps
The timestamps of all audit records are shifted by a ran­ dom value in order to preserve temporal context within the audit trail.

For more information, see the manual page bsmpseu(1) form the source package.


Usage

This will pseudonymize the content of the specified audit files using the default options and display the pseudonymized audit records in human-readable form using the Solaris command praudit(1M):

         % bsmpseu /export/audit/* | praudit

BSMpseu is able to generate compressed output using the -z options, but it is also able to read compressed input audit trail files, as shown in the example below.

         % bsmpseu /export/audit/friday.bsm.gz > /tmp/audit.bsm

Often it is not useful to pseudonymize all data types in an audit trail file. The example below shows the use of the BSMpseu tool where the process IDs and internet addresses are not pseudonymized.

         % bsmpseu -P -A /var/audit/audit.bsm > /tmp/audit.bsm



back