TrustedBSD status from Oct-Dec 2003
Ilmar S. Habibulin
ilmar at watson.org
Tue Mar 9 08:43:35 GMT 2004
On Sun, 7 Mar 2004, Robert Watson wrote:
> They should be in trap.c, but aren't currently since the work is
> incomplete.
I've made patch agains mac branch, with AUDIT_*() and i386-arch syscall
audit wrapper. It was made using cut-n-paste technology ;-), and may
contain some bugs. But kernel builds.
I have just two or three pieces of code that i didn't understand.
Something about file attributes. Is it standard attributes (get/setttr())
or they are extended?
I'm planning to look through trusted solaris audit doc to figure out what
data for each syscall may/must be collected. And if i understand correctly
later we can use
http://ftp.cerias.purdue.edu/pub/tools/unix/logutils/bsmparser/README.html
> Agreed. The approach of having the basic audit record preselection,
> allocation, and commit in the system call entry and exit code (similar to
> ktrace and others) makes a lot of sense to me. Especially since we can
> hang the audit data for the system call off the active thread structure
> and access it as thread-local data. However, you do need some
> modifications to system calls, namei(), etc, to gather the additional
> necessary argument data. But this is much less disruptive than have three
> or four changes in each system call just to allocate and handle records.
Is there any additional info on your bsm audit implementation other than
darwin source?
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list