BSMpseu 0.1.6 - Pseudonymizer for Solaris Audit Trails
Copyright © 2002, 2003 by Konrad Rieck
Introduction
BSMpseu pseudonymizes records from Solaris BSM audit trail files. Personal data such as user IDs, group IDs, etc. is replaced with pseudonyms, so that the generated output doesn't reveal private information about the system's users, but still preserves a maximum of integrity and consistency.
BSMpseu has been designed with efficiency and privacy in mind, but doesn't offer cryptographic strong security, as proposed in some research papers, in order to ensure a realistic performance.
* The Solaris logo is a registered trademark or trademark of Sun Microsystems, Inc.
Changes
| Version | Date | Changes |
| 0.1.6 | 2003-01-30 | Added support for Solaris 8 and 9 systems running a 32 bit kernel. |
| 0.1.5 | 2003-01-03 | - Fixed a bug in gid pseudonymizing - Fixed consistency problem in command line options - Updated manual page |
| 0.1.4b | 2002-12-13 | Initial beta release |
Downloads
| Source packages | Release | Source Package | Size |
| BSMpseu 0.1.6 | bsmpseu-0.1.6.tar.gz | 90kb |
| BSMpseu 0.1.5 | bsmpseu-0.1.5.tar.gz | 90kb |
| BSMpseu 0.1.4b | bsmpseu-0.1.4b.tar.gz | 90kb |
Details
BSMpseu sequentially reads one or more input audit trail files and writes the pseudonymized audit trail to standard output. The input and output audit trail files can be in plain BSM audit or in zlib(3) / gzip(1) compressed format. bsmpseu pseudonymizes a 200MB audit trail file on a plain Sun Ultra 10 in 50 seconds and pseudonymizes and com presses the same file within 8 minutes.
Depending on the type of information, the personal data is replaced by random data, cleared/blanked or shifted by a random value. Details are listed below.
User IDs, Group IDs and Process IDs
User IDs, group IDs and process IDs are replaced with
unique random values. The same random value is mapped to
the same ID to preserve the audit context.
Pathnames
Pathnames are matched against list of pathname prefixes.
The suffix of a matched pathname is replaced by unique
random characters. The same random characters are mapped
to the same pathname suffix. E.g. pathname /tmp/foo/bar
matching the prefix /tmp/ is mapped to /tmp/Drs/g/T.
Internet Addresses
Internet addresses beside the local addresses 0.0.0.0
(IPv4) and 0::0 (IPv6) are replaced by random internet
addresses within the range 60.0.0.0 - 200.0.0.0. Private,
local or public addresses will be treated the same.
Execution Arguments and Environment
Execution arguments and environment are overwritten with
space characters. Instead of using this option disable
execution arguments and environment using the auditcon
fig(1M).
Timestamps
The timestamps of all audit records are shifted by a ran
dom value in order to preserve temporal context within the
audit trail.
For more information, see the manual page bsmpseu(1) form the source package.
Usage
This will pseudonymize the content of the specified audit files using the default options and display the pseudonymized audit records in human-readable form using the Solaris command praudit(1M):
% bsmpseu /export/audit/* | praudit
BSMpseu is able to generate compressed output using the -z options, but it is also able to read compressed input audit trail files, as shown in the example below.
% bsmpseu /export/audit/friday.bsm.gz > /tmp/audit.bsm
Often it is not useful to pseudonymize all data types in an audit trail file. The example below shows the use of the BSMpseu tool where the process IDs and internet addresses are not pseudonymized.
% bsmpseu -P -A /var/audit/audit.bsm > /tmp/audit.bsm