Re: auditing in Darwin?
Re: auditing in Darwin?
- Subject: Re: auditing in Darwin?
- From: Todd Heberlein <email@hidden>
- Date: Wed, 22 Jun 2005 10:59:00 -0700
On Jun 21, 2005, at 3:18 PM, Quinn wrote:
At 10:43 -0700 21/6/05, Todd Heberlein wrote:
Is this auditing available in Darwin?
Yes. The kernel's auditing support is built in. So, when you get the
kernel source (project "xnu"), you get the auditing support as well.
Great. My network connection is neither fast nor reliable, so I have
been hesitant to go through the hassle of downloading the kernel code.
Being able to look at the source code for auditing information now
makes it worth the effort.
Is this the best community for discussing internal issues of the
auditing system?
Well, that depends on whether these issues are related to the kernel,
or the interface between the kernel and user space auditing
components. If so, yes, this is the right place.
OTOH, if you're just interested in the user space aspects of auditing,
darwin-kernel is probably not the place you want to be.
I am currently processing the binary audit file (praudit is way too
slow) for security forensics and intrusion detection projects, and I am
using the specifications from the SunSHIELD Basic Security Module Guide
and Apple's Common Criteria Configuration and Administration Guide. As
I have been doing this, I have run into a number of questions and
issues, and I am trying to determine where to direct these questions.
Here are some examples:
(1) Is it possible to have a user-level application "tap" directly into
the audit data without having the data written to the disk first?
(2) The AU_ATTR32_TOKEN token has a mysterious 4 byte field at the end
that is not in the documentation (or shows up when using praudit).
What is this field for?
(3) Apple's AUE_CONNECT record (which differs from the ShunSHIELD BSM
documentation) does not include the local IP address and port for
AF_INET connections (e.g., TCP/IP connections). This makes it
difficult to map an observed packet (e.g., one detected by a Snort
sensor) to the process that created it. Why did Apple choose to drop
the local address and port information from the CONNECT audit record?
Can this easily be "corrected"?
(4) Apple's documentation for audit records have a number of
discrepancies. For example, the AUE_EXECVE record includes *two*
AU_PATH_TOKEN tokens (one for the path tried and one for the actual
path after resolving symbolic links) not one as specified in the
SunSHIELD documentation. Who should I contact regarding the mismatch
between the implementation and the documentation?
Could someone please let me know if this is the correct location for
these types of questions, and if not, where (or to whom) should I
direct these questions (e.g., ADC Technical Support Incident)?
Current Build: Mac OS X 10.3.9 (7W98), Darwin 7.9.0
Thanks,
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden