Re: auditing in Darwin?
Re: auditing in Darwin?
- Subject: Re: auditing in Darwin?
- From: Todd Heberlein <email@hidden>
- Date: Thu, 23 Jun 2005 10:23:39 -0700
On Jun 22, 2005, at 5:06 PM, Wayne Salamon wrote:
(2) The AU_ATTR32_TOKEN token has a mysterious 4 byte field at the
end that is not in the documentation (or shows up when using
praudit). What is this field for?
Can you tell me where you are seeing this extra field? In the
definition of the au_attr32_t struct, and in logs I've viewed, I see
the same fields as giving in the SunShield document.
[NOTE: The definition I am using for the AU_ATTR32_TOKEN comes from
page 86 of the SunSHIELD Basic Security Module Guide, February 2000 (5
years old!), and the definition I am using for AUE_EXECVE comes from
pg. 119 of the same document. If there is more up to date
documentation, please let me know.]
Below is an example of an audit record for the execve(2) system call
(AUE_EXECVE). First is an example output of the record from praudit.
Following that is a long output of each byte of the record (first the
fixed header, then the rest (or body) of the audit record). The
praudit (1) shows two PATH tokens (the SunSHIELD documentation only
shows one), one for the path tried and one showing the path after
resolving any symbolic links, and (2) the AU_ATTR32_TOKEN (which does
not show the mysterious 4 byte field!).
The binary output of the audit record consists of 4 columns:
(1) byte position
(2) decimal value of the byte
(3) hexadecimal value of the byte
(4) ASCII value of the byte inside brackets
I have augmented this output with pointers showing the beginnings of
the tokens, and for the AU_ATTR32_TOKEN token I show the beginning of
each field. If you drop down to the AU_ATTR32_TOKEN token you can see
the fields:
- file mode (4 bytes)
- owner UID (4 bytes)
- owner GID (4 bytes)
- file system ID (4 bytes)
- file inode ID (4 bytes)
- device ID (4 bytes)
- mysterious field (4 bytes)
I don't know what that 4-byte field is at the end, but I need to read
it in before I can get properly aligned for the next token.
Todd
praudit output:
------------------------------
header,119,1,execve(2),0,Tue May 31 11:00:53 2005, + 616 msec
path,/bin/ls
path,/bin/ls
attribute,100555,root,wheel,234881026,0,0
subject,heberlei,heberlei,staff,heberlei,staff,417,245,50331650,0.0.0.0
return,success,417
trailer,119
------------------------------
Output from my parser:
------------------------------
Header: 20,119,1,23,0,1117562453,616
Subject: 36,501,501,20,501,20,417,245,50331650,0
Return: 39,0,417
Trailer: 19,45317,119
----- Header -----
0 020 0014 [ ] <-- Header Token
1 000 0000 [ ]
2 000 0000 [ ]
3 000 0000 [ ]
4 119 0077 [w]
5 001 0001 [ ]
6 000 0000 [ ]
7 023 0017 [ ]
8 000 0000 [ ]
9 000 0000 [ ]
10 066 0042 [B]
11 156 009c [ ]
12 166 00a6 [ ]
13 085 0055 [U]
14 000 0000 [ ]
15 000 0000 [ ]
16 002 0002 [ ]
17 104 0068 [h]
----- Body -----
0 035 0023 [#] <-- AU_PATH_TOKEN
1 000 0000 [ ]
2 008 0008 [ ]
3 047 002f [/]
4 098 0062 [b]
5 105 0069 [i]
6 110 006e [n]
7 047 002f [/]
8 108 006c [l]
9 115 0073 [s]
10 000 0000 [ ]
11 035 0023 [#] <-- AU_PATH_TOKEN
12 000 0000 [ ]
13 008 0008 [ ]
14 047 002f [/]
15 098 0062 [b]
16 105 0069 [i]
17 110 006e [n]
18 047 002f [/]
19 108 006c [l]
20 115 0073 [s]
21 000 0000 [ ]
22 062 003e [>] <-- AU_ATTR32_TOKEN
23 000 0000 [ ] - file mode (4 bytes)
24 000 0000 [ ]
25 129 0081 [ ]
26 109 006d [m]
27 000 0000 [ ] - owner UID (4 bytes)
28 000 0000 [ ]
29 000 0000 [ ]
30 000 0000 [ ]
31 000 0000 [ ] - owner GID (4 bytes)
32 000 0000 [ ]
33 000 0000 [ ]
34 000 0000 [ ]
35 014 000e [ ] - file system ID (4 bytes)
36 000 0000 [ ]
37 000 0000 [ ]
38 002 0002 [ ]
39 000 0000 [ ] - file inode ID (4 bytes)
40 000 0000 [ ]
41 000 0000 [ ]
42 000 0000 [ ]
43 000 0000 [ ] - device ID (4 bytes)
44 000 0000 [ ]
45 000 0000 [ ]
46 000 0000 [ ]
47 000 0000 [ ] - mysterious field (4 bytes)
48 000 0000 [ ]
49 000 0000 [ ]
50 000 0000 [ ]
51 036 0024 [$] <-- AU_SUBJECT_32_TOKEN
52 000 0000 [ ]
53 000 0000 [ ]
54 001 0001 [ ]
55 245 00f5 [ ]
56 000 0000 [ ]
57 000 0000 [ ]
58 001 0001 [ ]
59 245 00f5 [ ]
60 000 0000 [ ]
61 000 0000 [ ]
62 000 0000 [ ]
63 020 0014 [ ]
64 000 0000 [ ]
65 000 0000 [ ]
66 001 0001 [ ]
67 245 00f5 [ ]
68 000 0000 [ ]
69 000 0000 [ ]
70 000 0000 [ ]
71 020 0014 [ ]
72 000 0000 [ ]
73 000 0000 [ ]
74 001 0001 [ ]
75 161 00a1 [ ]
76 000 0000 [ ]
77 000 0000 [ ]
78 000 0000 [ ]
79 245 00f5 [ ]
80 003 0003 [ ]
81 000 0000 [ ]
82 000 0000 [ ]
83 002 0002 [ ]
84 000 0000 [ ]
85 000 0000 [ ]
86 000 0000 [ ]
87 000 0000 [ ]
88 039 0027 ['] <-- AU_RETURN_32_TOKEN
89 000 0000 [ ]
90 000 0000 [ ]
91 000 0000 [ ]
92 001 0001 [ ]
93 161 00a1 [ ]
94 019 0013 [ ] <-- AU_TRAILER_TOKEN
95 177 00b1 [ ]
96 005 0005 [ ]
97 000 0000 [ ]
98 000 0000 [ ]
99 000 0000 [ ]
100 119 0077 [w]
--------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden