Date: Wed, 23 Aug 2006 13:27:36 -0500 From: "R. Tyler Ballance" <tyler@bleepsoft.com> To: trustedbsd-audit@FreeBSD.org Subject: Re: Darwin work Message-ID: <CF2CAE1F-A9A0-4263-85BA-3D658A635CB2@bleepsoft.com> In-Reply-To: <20060816132406.Y15941@fledge.watson.org> References: <8C40F149-F305-46DC-A39E-66E26C46822D@bleepsoft.com> <20060815193600.H45647@fledge.watson.org> <B3A55966-EBE6-4A81-B269-976682BE8E16@bleepsoft.com> <20060816132406.Y15941@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Aug 16, 2006, at 7:29 AM, Robert Watson wrote: > I believe that current OpenBSM tree, the mach event code for auditd > isn't present, so you will need to look at the original Apple BSM > package. The most recent Apple BSM import was from Darwin 8.0 > (Tiger 10.4.0, I believe). My recommendation is to look at ways to > break auditd.c into three different source files: auditd_devaudit.c > (/dev/audit), auditd_mach.c (mach ports), and auditd.c, and try to > capture as much of the common behavior in auditd.c as possible. > How exactly the details will shake out, I can't say -- it depends a > bit how the control loop has to be changed to add in the Mach support. It seems that there's no trigger support in the Apple BSM package from what I can tell, most of the bsm package that I downloaded from the darwinsource site is for examining audit trails after the fact (once they've been dumped in /var/audit/) but there doesn't seem to be anything related to "feeding" off the Mach port for the triggers straight from the auditing subsystem. Am I looking in the wrong place? Should I be grepping some of the Xnu source for the Audit related code to find out how to handle the triggers spewed from Xnu's audit system? Or am i just being too dense to find the appropriate code in Apple's BSM code ;) Cheers, - -R. Tyler Ballance Lead Developer, bleep. LLC http://www.bleepsoft.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE7J4eqO6nEJfroRsRAl7IAJwJns4I5ODsFgFU2rEw7eW4Tfd3ZwCeL8Nv AmPZQN4BLGhOgbVV8Psj6LY= =f3df -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CF2CAE1F-A9A0-4263-85BA-3D658A635CB2>