From owner-trustedbsd-audit@FreeBSD.ORG Wed Aug 23 18:27:51 2006 Return-Path: X-Original-To: trustedbsd-audit@FreeBSD.org Delivered-To: trustedbsd-audit@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E796116A4E0 for ; Wed, 23 Aug 2006 18:27:51 +0000 (UTC) (envelope-from tyler@bleepsoft.com) Received: from zeus.lunarpages.com (zeus.lunarpages.com [216.193.211.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8300943D78 for ; Wed, 23 Aug 2006 18:27:46 +0000 (GMT) (envelope-from tyler@bleepsoft.com) Received: from cpe-24-26-238-91.satx.res.rr.com ([24.26.238.91] helo=[192.168.250.100]) by zeus.lunarpages.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.52) id 1GFxTK-0001bo-1l for trustedbsd-audit@FreeBSD.org; Wed, 23 Aug 2006 11:29:02 -0700 Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <20060816132406.Y15941@fledge.watson.org> References: <8C40F149-F305-46DC-A39E-66E26C46822D@bleepsoft.com> <20060815193600.H45647@fledge.watson.org> <20060816132406.Y15941@fledge.watson.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "R. Tyler Ballance" Date: Wed, 23 Aug 2006 13:27:36 -0500 To: trustedbsd-audit@FreeBSD.org X-Pgp-Agent: GPGMail 1.1.2 (Tiger) X-Mailer: Apple Mail (2.752.2) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - zeus.lunarpages.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bleepsoft.com X-Source: X-Source-Args: X-Source-Dir: Subject: Re: Darwin work X-BeenThere: trustedbsd-audit@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2006 18:27:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Aug 16, 2006, at 7:29 AM, Robert Watson wrote: > I believe that current OpenBSM tree, the mach event code for auditd > isn't present, so you will need to look at the original Apple BSM > package. The most recent Apple BSM import was from Darwin 8.0 > (Tiger 10.4.0, I believe). My recommendation is to look at ways to > break auditd.c into three different source files: auditd_devaudit.c > (/dev/audit), auditd_mach.c (mach ports), and auditd.c, and try to > capture as much of the common behavior in auditd.c as possible. > How exactly the details will shake out, I can't say -- it depends a > bit how the control loop has to be changed to add in the Mach support. It seems that there's no trigger support in the Apple BSM package from what I can tell, most of the bsm package that I downloaded from the darwinsource site is for examining audit trails after the fact (once they've been dumped in /var/audit/) but there doesn't seem to be anything related to "feeding" off the Mach port for the triggers straight from the auditing subsystem. Am I looking in the wrong place? Should I be grepping some of the Xnu source for the Audit related code to find out how to handle the triggers spewed from Xnu's audit system? Or am i just being too dense to find the appropriate code in Apple's BSM code ;) Cheers, - -R. Tyler Ballance Lead Developer, bleep. LLC http://www.bleepsoft.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFE7J4eqO6nEJfroRsRAl7IAJwJns4I5ODsFgFU2rEw7eW4Tfd3ZwCeL8Nv AmPZQN4BLGhOgbVV8Psj6LY= =f3df -----END PGP SIGNATURE-----