site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com On Oct 12, 2009, at 12:45 PM, Rustam Muginov wrote: 'praudit': (see 'man praudit') http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbs... 'bsmtrace': (a simple host-based IDS) http://p4db.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbs... Best Regards, -stacey. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... Thank you a lot for pointing up to the audit method. I had found the "bsm" folder in the Mac OS X 10.5 SDK, looked through the header files, but failed to find and documentation on them so far. I would recommend that you first read the Sun documentation on the BSM format ( see http://docs.sun.com/app/docs/doc/806-1789). The BSM audit format is standard across Solaris, FreeBSD and Mac OS X with some minor differences. You may want to also refer to the TrustedBSD web site and mailing list: http://www.trustedbsd.org/audit.html The only docs i found are the Common Criteria manuals about command- line tools and GUI apps here: http://www.apple.com/support/security/commoncriteria/ As for apple documentation take a look at 'man libbsm' and some of the man pages mentioned under "SEE ALSO". Are where any examples/code snippets available? I do believe i could use the audit facility from inside my appliction, instead of relying on external command-line tools. Should the process dealing with audit run on behalf of root, or it could be a regular user process? To read from /dev/auditpipe your process will need root privileges so you may want to create a monitoring daemon that sends messages with the information you need via some kind of IPC. Please note the "BUGS" section of the auditpipe man page about it dropping records if userland can't read them fast enough. Of course, the queue length/buffer can be increased to reduce this possibility. The event will always be written to the audit trail file. This email sent to site_archiver@lists.apple.com