[Fed-Talk] posix_spawn() auditing bug
[Fed-Talk] posix_spawn() auditing bug
- Subject: [Fed-Talk] posix_spawn() auditing bug
- From: Todd Heberlein <email@hidden>
- Date: Sun, 12 Oct 2008 17:45:31 -0700
Hi Shawn (and any BSM audit trail users out there),
Tests on the most recent BSM for Leopard shows the system call
posix_spawn() doesn't generate an audit record -- which is unfortunate
because launchd (and the dock, which I think uses launchd) starts
programs via posix_spawn(). What this means is that any new program
started this was cannot be identified in the audit trail. You will see
the actions of the process in the audit trail (e.g., process ID 1456
opened file /Users/joe/secrets), but there is no way to determine
*which* program is reading the file (e.g., is process ID 1465 Mail,
Safari, iTunes, or some command line tool?).
This makes it difficult to establish accountability, perform forensic
analysis, and do intrusion detection by analyzing program behavior.
I have filed a bug report on this issue. The bug report number is
6287352.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden