site_archiver@lists.apple.com Delivered-To: Darwin-kernel@lists.apple.com On Jun 22, 2005, at 10:59 AM, Todd Heberlein wrote: No. However, it may be possible to with a custom kernel/kext. - Kevin _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... I am currently processing the binary audit file (praudit is way too slow) for security forensics and intrusion detection projects, and I am using the specifications from the SunSHIELD Basic Security Module Guide and Apple's Common Criteria Configuration and Administration Guide. As I have been doing this, I have run into a number of questions and issues, and I am trying to determine where to direct these questions. Here are some examples: (1) Is it possible to have a user-level application "tap" directly into the audit data without having the data written to the disk first? (2) The AU_ATTR32_TOKEN token has a mysterious 4 byte field at the end that is not in the documentation (or shows up when using praudit). What is this field for? (3) Apple's AUE_CONNECT record (which differs from the ShunSHIELD BSM documentation) does not include the local IP address and port for AF_INET connections (e.g., TCP/IP connections). This makes it difficult to map an observed packet (e.g., one detected by a Snort sensor) to the process that created it. Why did Apple choose to drop the local address and port information from the CONNECT audit record? Can this easily be "corrected"? (4) Apple's documentation for audit records have a number of discrepancies. For example, the AUE_EXECVE record includes *two* AU_PATH_TOKEN tokens (one for the path tried and one for the actual path after resolving symbolic links) not one as specified in the SunSHIELD documentation. Who should I contact regarding the mismatch between the implementation and the documentation? Almost always, the best way is to file a bug via <http:// developer.apple.com/bugreporter/>. Could someone please let me know if this is the correct location for these types of questions, and if not, where (or to whom) should I direct these questions (e.g., ADC Technical Support Incident)? This list is appropriate, but be advised that Apple engineers on this list answer questions voluntarily on their own time. Apple shares a common BSM implementation with the TrustedBSD effort <http://www.trustedbsd.org/>. The trustedbsd-audit mailing list might be another good forum for questions 2-4. <http:// www.trustedbsd.org/mailinglists.html>. Robert Watson and Wayne Salamon are very familiar with Apple's BSM implementation. <http:// www.trustedbsd.org/developers.html>. This email sent to site_archiver@lists.apple.com