• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: kqueue EVFILT_PROC and child process pid
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kqueue EVFILT_PROC and child process pid

  • Subject: Re: kqueue EVFILT_PROC and child process pid
  • From: Stacey Son <email@hidden>
  • Date: Mon, 12 Oct 2009 14:24:08 -0500

On Oct 12, 2009, at 12:45 PM, Rustam Muginov wrote:

Thank you a lot for pointing up to the audit method.
I had found the "bsm" folder in the Mac OS X 10.5 SDK, looked through the header files, but failed to find and documentation on them so far.

I would recommend that you first read the Sun documentation on the BSM format ( see http://docs.sun.com/app/docs/doc/806-1789). The BSM audit format is standard across Solaris, FreeBSD and Mac OS X with some minor differences. You may want to also refer to the TrustedBSD web site and mailing list: http://www.trustedbsd.org/audit.html

The only docs i found are the Common Criteria manuals about command- line tools and GUI apps here:
http://www.apple.com/support/security/commoncriteria/

As for apple documentation take a look at 'man libbsm' and some of the man pages mentioned under "SEE ALSO".

Are where any examples/code snippets available? 

'praudit':  (see 'man praudit')

http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbsd/openbsm/bin/praudit&HIDEDEL=NO

'bsmtrace':  (a simple host-based IDS)

http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbsd/bsmtrace&HIDEDEL=NO

I do believe i could use the audit facility from inside my appliction, instead of relying on external command-line tools.
Should the process dealing with audit run on behalf of root, or it could be a regular user process?


To read from /dev/auditpipe your process will need root privileges so you may want to create a monitoring daemon that sends messages with the information you need via some kind of IPC.

Please note the "BUGS" section of the auditpipe man page about it dropping records if userland can't read them fast enough. Of course, the queue length/buffer can be increased to reduce this possibility. The event will always be written to the audit trail file.

Best Regards,

-stacey.





_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






References: 


 >Re: kqueue EVFILT_PROC and child process pid (From: Ryan McGann <email@hidden>)


 >Re: kqueue EVFILT_PROC and child process pid (From: Dave Keck <email@hidden>)


 >Re: kqueue EVFILT_PROC and child process pid (From: Stacey Son <email@hidden>)


 >Re: kqueue EVFILT_PROC and child process pid (From: Jean-Daniel Dupas <email@hidden>)


 >Re: kqueue EVFILT_PROC and child process pid (From: Stacey Son <email@hidden>)


 >Re: kqueue EVFILT_PROC and child process pid (From: Rustam Muginov <email@hidden>)






    

  • Prev by Date:
Re: kqueue EVFILT_PROC and child process pid

    • 

  • Next by Date:
Re: kqueue EVFILT_PROC and child process pid

    • 

  • Previous by thread:
Re: kqueue EVFILT_PROC and child process pid

    • 

  • Next by thread:
Re: kqueue EVFILT_PROC and child process pid

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •