Re: auditing in Darwin?
Re: auditing in Darwin?
- Subject: Re: auditing in Darwin?
- From: Kevin Van Vechten <email@hidden>
- Date: Wed, 22 Jun 2005 13:28:54 -0700
On Jun 22, 2005, at 10:59 AM, Todd Heberlein wrote:
I am currently processing the binary audit file (praudit is way too
slow) for security forensics and intrusion detection projects, and
I am using the specifications from the SunSHIELD Basic Security
Module Guide and Apple's Common Criteria Configuration and
Administration Guide. As I have been doing this, I have run into a
number of questions and issues, and I am trying to determine where
to direct these questions. Here are some examples:
(1) Is it possible to have a user-level application "tap" directly
into the audit data without having the data written to the disk first?
No. However, it may be possible to with a custom kernel/kext.
(2) The AU_ATTR32_TOKEN token has a mysterious 4 byte field at the
end that is not in the documentation (or shows up when using
praudit). What is this field for?
(3) Apple's AUE_CONNECT record (which differs from the ShunSHIELD
BSM documentation) does not include the local IP address and port
for AF_INET connections (e.g., TCP/IP connections). This makes it
difficult to map an observed packet (e.g., one detected by a Snort
sensor) to the process that created it. Why did Apple choose to
drop the local address and port information from the CONNECT audit
record? Can this easily be "corrected"?
(4) Apple's documentation for audit records have a number of
discrepancies. For example, the AUE_EXECVE record includes *two*
AU_PATH_TOKEN tokens (one for the path tried and one for the actual
path after resolving symbolic links) not one as specified in the
SunSHIELD documentation. Who should I contact regarding the
mismatch between the implementation and the documentation?
Almost always, the best way is to file a bug via <http://
developer.apple.com/bugreporter/>.
Could someone please let me know if this is the correct location
for these types of questions, and if not, where (or to whom) should
I direct these questions (e.g., ADC Technical Support Incident)?
This list is appropriate, but be advised that Apple engineers on this
list answer questions voluntarily on their own time.
Apple shares a common BSM implementation with the TrustedBSD effort
<http://www.trustedbsd.org/>. The trustedbsd-audit mailing list
might be another good forum for questions 2-4. <http://
www.trustedbsd.org/mailinglists.html>. Robert Watson and Wayne
Salamon are very familiar with Apple's BSM implementation. <http://
www.trustedbsd.org/developers.html>.
- Kevin
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden