site_archiver@lists.apple.com Delivered-To: Darwin-kernel@lists.apple.com On Jun 21, 2005, at 3:18 PM, Quinn wrote: Current Build: Mac OS X 10.3.9 (7W98), Darwin 7.9.0 Thanks, Todd _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... At 10:43 -0700 21/6/05, Todd Heberlein wrote: Is this auditing available in Darwin? Yes. The kernel's auditing support is built in. So, when you get the kernel source (project "xnu"), you get the auditing support as well. Great. My network connection is neither fast nor reliable, so I have been hesitant to go through the hassle of downloading the kernel code. Being able to look at the source code for auditing information now makes it worth the effort. Is this the best community for discussing internal issues of the auditing system? Well, that depends on whether these issues are related to the kernel, or the interface between the kernel and user space auditing components. If so, yes, this is the right place. OTOH, if you're just interested in the user space aspects of auditing, darwin-kernel is probably not the place you want to be. I am currently processing the binary audit file (praudit is way too slow) for security forensics and intrusion detection projects, and I am using the specifications from the SunSHIELD Basic Security Module Guide and Apple's Common Criteria Configuration and Administration Guide. As I have been doing this, I have run into a number of questions and issues, and I am trying to determine where to direct these questions. Here are some examples: (1) Is it possible to have a user-level application "tap" directly into the audit data without having the data written to the disk first? (2) The AU_ATTR32_TOKEN token has a mysterious 4 byte field at the end that is not in the documentation (or shows up when using praudit). What is this field for? (3) Apple's AUE_CONNECT record (which differs from the ShunSHIELD BSM documentation) does not include the local IP address and port for AF_INET connections (e.g., TCP/IP connections). This makes it difficult to map an observed packet (e.g., one detected by a Snort sensor) to the process that created it. Why did Apple choose to drop the local address and port information from the CONNECT audit record? Can this easily be "corrected"? (4) Apple's documentation for audit records have a number of discrepancies. For example, the AUE_EXECVE record includes *two* AU_PATH_TOKEN tokens (one for the path tried and one for the actual path after resolving symbolic links) not one as specified in the SunSHIELD documentation. Who should I contact regarding the mismatch between the implementation and the documentation? Could someone please let me know if this is the correct location for these types of questions, and if not, where (or to whom) should I direct these questions (e.g., ADC Technical Support Incident)? This email sent to site_archiver@lists.apple.com