Re: [Fed-Talk] Audit solutions
Re: [Fed-Talk] Audit solutions
- Subject: Re: [Fed-Talk] Audit solutions
- From: Todd Heberlein <email@hidden>
- Date: Fri, 31 Jul 2009 10:54:25 -0700
We have several XServe units running 10.4.11 with Common Criteria
Tools
installed. Our ISSO has been reporting that auditd has been dying on
machines in an apparently non-random way.
I haven't used BSM on MacOS 10.4.x (or 10.5.x) in some time. Does all
audit information stop? One of the reasons I stopped analysis of audit
data on Tiger and Leopard was that any process started by launchd
(like all network services! a big issue for an XServe) is not
audited. So sshd, httpd, ftpd, and all processes spawned from them did
not generate any audit records. So is it possible that auditing is
still running but just not generating any audit records? Have you
tried to login on the console (if you have a keyboard and monitor
attached) and check to see if that generates audit records?
and can anyone who is using
OpenBSM instead provide any input as to the reliability of that
alternative?
The last I knew (which was many months ago) OpenBSM targeted Snow
Leopard and not Leopard (and presumably not Tiger then). Also, OpenBSM
changed the format of several audit tokens recently, so if there is a
mismatch between audit token generation and the audit daemon that
collects and writes the audit records to disk, that could generate a
problem.
What audit flags are turned on? With a little testing you might be
able to figure out which audit flag is associated with the problem and
then just that audit flag off.
Sorry I don't have better news on the 10.4 and 10.5 fronts. I would
love to hear if Apple has fixed these launchd issues. If they have, I
will go back and revisit it for Leopard at least.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden