Abstract
Developers of audit trail analysis tools need a data interchange format
to allow sharing audit trail information from different operating sytems.
We wanted an audit data interchange format to provide interoperability
of intrusion and misuse detection tools and to facilitate cooperative
work involving audit trail analysis, especially for the detection of
intrusions and other misuses.
While the general case of this problem is very difficult (to convert from
IBM MVS SMF records to SunOS Basic Security Module data, for example),
it is much more feasible to define a common record format across those
Unix versions that support auditing at least at the NCSC C2 level.
This document describes the format we have developed. Our internal name
for this format is "svr4++".