VAB Focussed Audit Browser (FAB)

Under construction, look out for falling text and links!

Description

The VAB Focussed Audit Browser, developed in the UC Davis Computer Science Department Security Lab under the Audit Workbench Project, is a utility to browse the contents of a BSM audit log. The tool presents a graph of the events and objects that are associated with a specified object, called the focus. For example, if a process is the focus, that processes parent and children, as well as the files it accesses, would be represented in a graph.

In its current implementation, HTML Forms are used as the graphical user interface (GUI) with the graph being an inlined GIF image. The graphical layout is done by AT&T Bell Labs's graph layout filter, DOT. The form input is handled by a perl CGI script which passes the appopriate graph to DOT.

Demo

You can try FAB out here. A demo version has been set up to run on two different logs.

o Try it with "leaky file" log.
o Try it with "missing file" log.
Note that caching is used, so if someone already asked for a particular focus, you will get the answer back quicker. Also note that a couple audit reductions have been specified. In the non-online version, this can be controlled (and hence what gets displayed controlled), but you can't do that here so the display may get cluttered.

This prototype uses "gs" to convert the Postscript output of DOT to GIF format, which has limitations and poor quality output; future version might use "Java".


<- Back to the Visual Audit Browser page

AWB SecLab Home Page Last revised 27-Jul-95 by Jim Hoagland