Date: Fri, 29 Sep 2006 00:16:27 -0500 From: "R. Tyler Ballance" <tyler@bleepsoft.com> To: "benjamin.morin" <benjamin.morin@free.fr> Cc: trustedbsd-audit@FreeBSD.org Subject: Re: BSM audit on Mac OS X Message-ID: <BB1AB744-AD1D-44EF-B7DF-6BE3BD700C94@bleepsoft.com> In-Reply-To: <9DDE008A-5B91-4DA0-A55B-E4AA7E4A3369@free.fr> References: <9DDE008A-5B91-4DA0-A55B-E4AA7E4A3369@free.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sep 27, 2006, at 1:22 PM, benjamin.morin wrote: > Hi, > > I would be interested in monitoring system calls on Mac OS X (for > intrusion detection purpose). > > I have tried to compile trustedbsd-audit (package openbsm-1.0- > alpha12.tgz) on a mac mini (Mac OS 10.4.7, powerpc-apple-darwin8- > gcc-4.0.0 (GCC) 4.0.0 20041026 (Apple Computer, Inc. build 4061)). > > The compilation fails with the following message : > > auditfilterd.c: In function 'mainloop_file': > auditfilterd.c:200: error: 'CLOCK_REALTIME' undeclared (first use > in this function) > auditfilterd.c:200: error: (Each undeclared identifier is reported > only once > auditfilterd.c:200: error: for each function it appears in.) > auditfilterd.c: In function 'mainloop_pipe': > auditfilterd.c:250: error: 'CLOCK_REALTIME' undeclared (first use > in this function) > make[2]: *** [auditfilterd.o] Error 1 > make[1]: *** [all-recursive] Error 1 > make: *** [all-recursive] Error 1 > > Is this "normal"? > > Thanks for any help, Heh, this was one of the first things I hit when I was starting to work on openbsm/Darwin, the FreeBSD kernel has a few different options for fetching the time from the kernel, but Xnu doesn't, so the quickest solution IMHO was just to call out to the standard libc, and form a response that auditfilterd.c wants, I've not tested, but it compiles, and that's all that's really important anyways right? ;) My solution was to add a header compat/kernel_time.h ( http:// perforce.freebsd.org/fileViewer.cgi?FSPC=//depot/user/tyler/openbsm/ compat/kernel%5ftime.h&REV=3 ) and then include that in auditfilterd.c It *should* work, but I can't do much testing on my single intel iMac for openbsm and auditing at the moment because I'm busy with contracts and I'm scared to hose my work computer ;) Cheers, - -R. Tyler Ballance p.s. just CC'ing this to the list just for grins :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFHKwtqO6nEJfroRsRAqMaAJ9i78dA9F8u1IZAV7jSiYDhLSyMngCcDZXW 8jLjIZXqAiq7pLDiMcyPUro= =6j4a -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BB1AB744-AD1D-44EF-B7DF-6BE3BD700C94>