Darwin work
R. Tyler Ballance
tyler at bleepsoft.com
Wed Aug 23 18:27:52 UTC 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Aug 16, 2006, at 7:29 AM, Robert Watson wrote:
> I believe that current OpenBSM tree, the mach event code for auditd
> isn't present, so you will need to look at the original Apple BSM
> package. The most recent Apple BSM import was from Darwin 8.0
> (Tiger 10.4.0, I believe). My recommendation is to look at ways to
> break auditd.c into three different source files: auditd_devaudit.c
> (/dev/audit), auditd_mach.c (mach ports), and auditd.c, and try to
> capture as much of the common behavior in auditd.c as possible.
> How exactly the details will shake out, I can't say -- it depends a
> bit how the control loop has to be changed to add in the Mach support.
It seems that there's no trigger support in the Apple BSM package
from what I can tell, most of the bsm package that I downloaded from
the darwinsource site is for examining audit trails after the fact
(once they've been dumped in /var/audit/) but there doesn't seem to
be anything related to "feeding" off the Mach port for the triggers
straight from the auditing subsystem.
Am I looking in the wrong place? Should I be grepping some of the Xnu
source for the Audit related code to find out how to handle the
triggers spewed from Xnu's audit system? Or am i just being too dense
to find the appropriate code in Apple's BSM code ;)
Cheers,
- -R. Tyler Ballance
Lead Developer, bleep. LLC
http://www.bleepsoft.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFE7J4eqO6nEJfroRsRAl7IAJwJns4I5ODsFgFU2rEw7eW4Tfd3ZwCeL8Nv
AmPZQN4BLGhOgbVV8Psj6LY=
=f3df
-----END PGP SIGNATURE-----
More information about the trustedbsd-audit
mailing list