[Info-vax] Audit journal to MySQL database to PDF report

[plugh]

On Sunday, April 16, 2023 at 3:29:05 PM UTC-7, plugh wrote:

> It looks like all audit records are based on the DECnet architecture; which means there will have to be a way to get an IP address from the DECnet node. 
> Beyond that, the audit journal has what's necessary to generate a response for many ossec event handling services such as file and process monitoring, integrity checking.

Thinking about it further, any such translation would be coddling ossec in that I'm /pretty/ sure it wants objects to block identified either by IP V4 or V6 addresses. DECnet demonstrates a faulty ossec architectural design in that respect. After all, the response will run only on the ossec agent generating the event; there's no need for the ossec server to grok the network id that the agent transmits. It's up to the agent to handle the response if it's warranted; which decision occurs on the server. There's no reason the server event management logic should impose an IP address domain requirement. The upshot of this observation is that the XML ossec rule definition DTD contains tags whose interpretation (ossec actions at runtime) can't be a DECnet node name. I'll have to follow up on this, but I'm pretty sure that's the case. 

Additionally, ossec relies a lot on regular expressions to trigger rule selection. DECnet object ids and IP V6 addressess both contain the ":::" string