From owner-trustedbsd-audit@FreeBSD.ORG Fri Sep 29 05:16:45 2006 Return-Path: X-Original-To: trustedbsd-audit@FreeBSD.org Delivered-To: trustedbsd-audit@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1580416A407 for ; Fri, 29 Sep 2006 05:16:45 +0000 (UTC) (envelope-from tyler@bleepsoft.com) Received: from zeus.lunarpages.com (zeus.lunarpages.com [216.193.211.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D92743D46 for ; Fri, 29 Sep 2006 05:16:44 +0000 (GMT) (envelope-from tyler@bleepsoft.com) Received: from cpe-24-26-238-91.satx.res.rr.com ([24.26.238.91] helo=[192.168.250.100]) by zeus.lunarpages.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.52) id 1GTAkQ-0002Bb-F5; Thu, 28 Sep 2006 22:17:18 -0700 In-Reply-To: <9DDE008A-5B91-4DA0-A55B-E4AA7E4A3369@free.fr> References: <9DDE008A-5B91-4DA0-A55B-E4AA7E4A3369@free.fr> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: "R. Tyler Ballance" Date: Fri, 29 Sep 2006 00:16:27 -0500 To: "benjamin.morin" X-Pgp-Agent: GPGMail 1.1.2 (Tiger) X-Mailer: Apple Mail (2.752.2) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - zeus.lunarpages.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - bleepsoft.com X-Source: X-Source-Args: X-Source-Dir: Cc: trustedbsd-audit@FreeBSD.org Subject: Re: BSM audit on Mac OS X X-BeenThere: trustedbsd-audit@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 05:16:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sep 27, 2006, at 1:22 PM, benjamin.morin wrote: > Hi, > > I would be interested in monitoring system calls on Mac OS X (for > intrusion detection purpose). > > I have tried to compile trustedbsd-audit (package openbsm-1.0- > alpha12.tgz) on a mac mini (Mac OS 10.4.7, powerpc-apple-darwin8- > gcc-4.0.0 (GCC) 4.0.0 20041026 (Apple Computer, Inc. build 4061)). > > The compilation fails with the following message : > > auditfilterd.c: In function 'mainloop_file': > auditfilterd.c:200: error: 'CLOCK_REALTIME' undeclared (first use > in this function) > auditfilterd.c:200: error: (Each undeclared identifier is reported > only once > auditfilterd.c:200: error: for each function it appears in.) > auditfilterd.c: In function 'mainloop_pipe': > auditfilterd.c:250: error: 'CLOCK_REALTIME' undeclared (first use > in this function) > make[2]: *** [auditfilterd.o] Error 1 > make[1]: *** [all-recursive] Error 1 > make: *** [all-recursive] Error 1 > > Is this "normal"? > > Thanks for any help, Heh, this was one of the first things I hit when I was starting to work on openbsm/Darwin, the FreeBSD kernel has a few different options for fetching the time from the kernel, but Xnu doesn't, so the quickest solution IMHO was just to call out to the standard libc, and form a response that auditfilterd.c wants, I've not tested, but it compiles, and that's all that's really important anyways right? ;) My solution was to add a header compat/kernel_time.h ( http:// perforce.freebsd.org/fileViewer.cgi?FSPC=//depot/user/tyler/openbsm/ compat/kernel%5ftime.h&REV=3 ) and then include that in auditfilterd.c It *should* work, but I can't do much testing on my single intel iMac for openbsm and auditing at the moment because I'm busy with contracts and I'm scared to hose my work computer ;) Cheers, - -R. Tyler Ballance p.s. just CC'ing this to the list just for grins :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFHKwtqO6nEJfroRsRAqMaAJ9i78dA9F8u1IZAV7jSiYDhLSyMngCcDZXW 8jLjIZXqAiq7pLDiMcyPUro= =6j4a -----END PGP SIGNATURE-----