[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fed-Talk] posix_spawn() auditing bug

Subject: [Fed-Talk] posix_spawn() auditing bug
From: Todd Heberlein <email@hidden>
Date: Sun, 12 Oct 2008 17:45:31 -0700
Delivered-to: email@hidden
Delivered-to: email@hidden

Hi Shawn (and any BSM audit trail users out there),

Tests on the most recent BSM for Leopard shows the system call posix_spawn() doesn't generate an audit record -- which is unfortunate because launchd (and the dock, which I think uses launchd) starts programs via posix_spawn(). What this means is that any new program started this was cannot be identified in the audit trail. You will see the actions of the process in the audit trail (e.g., process ID 1456 opened file /Users/joe/secrets), but there is no way to determine *which* program is reading the file (e.g., is process ID 1465 Mail, Safari, iTunes, or some command line tool?).

This makes it difficult to establish accountability, perform forensic analysis, and do intrusion detection by analyzing program behavior.

I have filed a bug report on this issue. The bug report number is 6287352.

Todd

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/fed-talk/email@hidden

This email sent to email@hidden

Follow-Ups:
- [Fed-Talk] Audit trail not closing correctly
  - From: Todd Heberlein <email@hidden>

Prev by Date: [Fed-Talk] How do I get DOD CA-19 and DOD EMAIL CA-19 certificates in CER form?
Next by Date: [Fed-Talk] Audit trail not closing correctly
Previous by thread: Re: [Fed-Talk] How do I get DOD CA-19 and DOD EMAIL CA-19 certificates in CER form?
Next by thread: [Fed-Talk] Audit trail not closing correctly
Index(es):
- Date
- Thread

Home