From owner-trustedbsd-audit@FreeBSD.ORG Wed Aug 16 11:15:10 2006 Return-Path: X-Original-To: trustedbsd-audit@FreeBSD.org Delivered-To: trustedbsd-audit@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF55616A4E0 for ; Wed, 16 Aug 2006 11:15:09 +0000 (UTC) (envelope-from tyler@bleepsoft.com) Received: from zeus.lunarpages.com (zeus.lunarpages.com [216.193.211.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A4CA43D45 for ; Wed, 16 Aug 2006 11:15:09 +0000 (GMT) (envelope-from tyler@bleepsoft.com) Received: from cpe-24-26-253-44.satx.res.rr.com ([24.26.253.44] helo=[192.168.1.42]) by zeus.lunarpages.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.52) id 1GDJOP-0005pL-CX for trustedbsd-audit@FreeBSD.org; Wed, 16 Aug 2006 04:17:01 -0700 Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <20060815193600.H45647@fledge.watson.org> References: <8C40F149-F305-46DC-A39E-66E26C46822D@bleepsoft.com> <20060815193600.H45647@fledge.watson.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "R. Tyler Ballance" Date: Wed, 16 Aug 2006 06:14:46 -0500 To: trustedbsd-audit@FreeBSD.org X-Pgp-Agent: GPGMail 1.1.2 (Tiger) X-Mailer: Apple Mail (2.752.2) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - zeus.lunarpages.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bleepsoft.com X-Source: X-Source-Args: X-Source-Dir: Subject: Re: Darwin work X-BeenThere: trustedbsd-audit@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Aug 2006 11:15:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Aug 15, 2006, at 2:13 PM, Robert Watson wrote: > The first step is to get OpenBSM fully working on Darwin. We've > been compiling and testing most OpenBSM components at least > minimally on Mac OS X and Linux during development. This means > that the configuration files, library, and user space BSM tools, > such as auditreduce and praudit, should pretty much "just work" on > both platforms. It's components like auditd and auditfilterd, > which interact with the kernel as a source of audit events, where > the work becomes more tricky. > > As I mentioned to you in IRC, and appears in the above transcript, > the first major issue is teaching the new OpenBSM auditd about the > Darwin trigger model, which is based on Mach port IPC, rather than > the pseudo-device /dev/audit as found on FreeBSD. At least, if you > want OpenBSM to run with an unmodified kernel. If you don't mind a > modified XNU kernel, porting just src/sys/security/audit/ > audit_trigger.c from FreeBSD to Darwin is probably pretty straight > forward. Getting OpenBSM working properly on Darwin would be very > useful indeed, even without doing all the kernel work. That said, should I be using Apple's own bsm module as a reference for writing the mach ports specific code, or is there existing code for receiving the audit events from Xnu already somewhere lurking around within OpenBSM? (I've been glancing over Apple's bsm code, which is under a 3-clause license, so I don't think it would be a probably for me to base my code off of it). > After the OpenBSM pieces are fully working on Darwin, it's > desirable to substitute the new OpenBSM bsm/ include files for the > existing Darwin ones. That will, among other things, teach the > Darwin kernel to generate records using the new OpenBSM header > version and event numbers, rather than ones that may (in the > future) conflict with Solaris events. Finally, without doing a > full audit3 port, a desirable change to port to Darwin is the token > generation changes, which fix some bugs and add endian-independence > (writing out in network byte order rather than native byte order). > > Doing a full port requires basically porting over src/sys/security/ > audit from the FreeBSD tree to Darwin, and also src/sys/bsm, > replacing the current files, which are largely in xnu/bsd/kern and > xnu/bsd/bsm. The full audit3 port would be something, IMHO, that would be best done with a reasonable amount of conjunction with the SEDarwin project, although it seems that they are aiming more at bringing the MAC framework and some of the security enhancements that SELinux brought to the table, so I'm not sure if an audit3 port necessarily fits within their project goals. That said, I suppose it's time to finally reboot this bloody machine to enable auditing from the Common Criteria Tools :-/ Cheers, - -R. Tyler Ballance Lead Developer, bleep. LLC http://www.bleepsoft.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE4v4vqO6nEJfroRsRApyYAJ4mov9M9Q9Se2Ya6cTqEERpfqB8JQCeISNl tb49LK0k58/VrTIgkf+v5gw= =LQlf -----END PGP SIGNATURE-----