• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: auditing support
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: auditing support

  • Subject: Re: auditing support
  • From: Jim Magee <email@hidden>
  • Date: Wed, 3 Mar 2004 20:03:47 -0500
On Mar 3, 2004, at 2:09 PM, John C. Daub wrote:
> on 3/3/04 12:58 PM, Shawn Erickson at email@hidden wrote:
>> On Mar 3, 2004, at 8:11 AM, John C. Daub wrote:
>>
>>> I'm looking at the auditing support that was added to the kernel in
>>> Panther.
>>> I'm figuring out some things from headers, source, and Google, but
>>> it's not
>>> enough. Just wondering if anyone knows of any documentation and/or
>>> sample
>>> code pertaining to Darwin's kernel auditing support.
>>
>> Can you better define "auditing". It can me slightly different things
>> to different folks.
>
> I'm new to this sort of thing (working with the kernel), so please
> forgive
> my newbieness. :-)
>
> I'm looking for information about that which is within
> /usr/include/sys/audit.h (from Mac OS X 10.3.2). I see various
> routines such
> as audit(), auditon(), auditsvc(), and auditctl(). I see data
> structures
> like au_record_t, auditinfo_addr_t, and auditinfo_t. I see constants
> like
> AUDIT_CNT, A_GETPOLICY, and AUDIT_RECORD_MAGIC. I'm looking for
> sample code
> or, preferably, documentation about everything within sys/audit.h...
> functions, data structures, constants.

You'll get most of these things when audit (as defined in these
headers/sources) is fully supported in the Darwin kernel. For now, you
are looking at the shell of an implementation - (e.g. a
work-in-progress). In particular, the kernel currently constructs
audit records of its own, and accepts audit records from user space,
but doesn't have any code to "do anything" with those records. You'll
have to wait for that (it is being worked on, but no release times can
be committed to at this point).

The general gist of the audit support can be gleaned by looking at the
Solaris BSM design. The goal of Darwin audit is to be (at least
loosely) compatible with that approach (working from just public
information).

--Jim

[demime 0.98b removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.

References: 
 >Re: auditing support (From: "John C. Daub" <email@hidden>)

  • Prev by Date: Re: Stacked file systems - why not and what instead?
  • Next by Date: Re: Assembly macros with Gcc
  • Previous by thread: Re: auditing support
  • Next by thread: Re: Assembly macros with Gcc
  • Index(es):
    • Date
    • Thread