Open trombonehero opened 7 years ago
@rwatson might want to opine on the viability of eventually exposing native audit records rather than CADETS or CDM traces?
I have started the work to expose UUID information via BSM, but there's quite a bit more to do if we want the level of completeness seen in audit.d in the BSM output, since it requires manual extensions to various bits of in-kernel BSM encoding. I need to finish the UUID work -- in particular, I want to introduce an information-flow "direction" field to the BSM tokens for UUIDs so that the audit trail is a bit more provenance-flavoured. It might be useful to spend some time during the Cambridge CADETS meeting in July/August to brainstorm what this might mean.
We should revisit this issue once PVMv2 shakes out.
Longer-term issue: we should be able to summarize trace events into compound nodes and edges that are displayed abstractly without having to display the lower-level parts. Ideally we'd be able to expand higher-level nodes and events into lower-level artifacts, all the way down to bits of CADETS trace (or audit records?).