[Fed-Talk] Audit log question
[Fed-Talk] Audit log question
- Subject: [Fed-Talk] Audit log question
- From: Todd Heberlein <email@hidden>
- Date: Wed, 16 May 2007 19:20:30 -0700
I am analyzing Apple's BSM audit logs (Mac OS X 10.4.9 on a G5), and
all records for the connect(2) system call to an IP address are
reported as failures. There are no examples of successful connection
requests even though I know they took place.
A typical audit record is:
header,88,1,connect(2),0,Tue May 15 09:44:38 2007, + 731 msec
argument,1,0x10,fd
socket-inet,2,80,17.250.248.77
subject,heberlei,heberlei,staff,heberlei,staff,
384,196,50331650,0.0.0.0
return,failure : Operation now in progress,4294967295
trailer,88
The audit flags are set for "all", so I presume I should see both
successful and failed connect() attempts.
Has anyone seen a successful network connect() call in their audit
trails? Alternatively, does anyone know is this just just a bug
(i.e., inadvertently reporting a successful system call as a
failure), or is it auditing policy (even with the "all" flag) to only
record failed events?
Thanks,
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden