TrustedBSD status from Oct-Dec 2003

Robert Watson rwatson at FreeBSD.org
Sun Mar 21 02:35:48 GMT 2004 

On Tue, 9 Mar 2004, Ilmar S. Habibulin wrote:

> On Sun, 7 Mar 2004, Robert Watson wrote:
> 
> > They should be in trap.c, but aren't currently since the work is
> > incomplete.
> I've made patch agains mac branch, with AUDIT_*() and i386-arch syscall
> audit wrapper. It was made using cut-n-paste technology ;-), and may
> contain some bugs. But kernel builds.
> I have just two or three pieces of code that i didn't understand.
> Something about file attributes. Is it standard attributes (get/setttr())
> or they are extended?

Ilmar,

Sorry about the delay in responding -- I've been in Taiwan the last week
attending Asia BSDCon and seeing the beautiful sights :-).  I'm still
catching up on e-mail, so you'll probably see other messages from me too.
You can find a description of the base BSM token types here:

  http://docs.sun.com/db/doc/802-1965/6i5vah3bm?a=view

I believe there are both 32-bit and 64-bit attribute token types; only the
32-bit type seems to be documented here.  The public Darwin audit code
drop in Panther seems to add an extra 32-bit pad to the file id field; I'm
not sure why that is but will inquire. 

> I'm planning to look through trusted solaris audit doc to figure out what
> data for each syscall may/must be collected. And if i understand correctly
> later we can use
> http://ftp.cerias.purdue.edu/pub/tools/unix/logutils/bsmparser/README.html

Yes.  The Apple kernel audit implementation is intended to produce
compliant BSM audit record streams that can be consumed by a number of
open source programs and commercial audit products.  If you find bugs in
the implementation, let me know and I can feed fixes back to Apple.

> > Agreed.  The approach of having the basic audit record preselection,
> > allocation, and commit in the system call entry and exit code (similar to
> > ktrace and others) makes a lot of sense to me.  Especially since we can
> > hang the audit data for the system call off the active thread structure
> > and access it as thread-local data.  However, you do need some
> > modifications to system calls, namei(), etc, to gather the additional
> > necessary argument data.  But this is much less disruptive than have three
> > or four changes in each system call just to allocate and handle records.
> Is there any additional info on your bsm audit implementation other than
> darwin source?

Not currently.  However, there is a lot of information available on the
BSM APIs and record formats from Sun's web page, as well as a variety of
open source projects, etc, that use BSM, so they are probably the best
starting point.

BTW -- did we ever get you hooked up with a Perforce account?  If so,
could you submit your changes to the audit2 branch?  I'm pretty
preoccupied with other work right now, so if you want to grab the audit
work and run with it, please do :-).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research



To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list