On Mar 3, 2004, at 2:09 PM, John C. Daub wrote:
on 3/3/04 12:58 PM, Shawn Erickson at shawn@freetimesw.com wrote:
On Mar 3, 2004, at 8:11 AM, John C. Daub wrote:
I'm looking at the auditing support that was added to the kernel in
Panther.
I'm figuring out some things from headers, source, and Google, but
it's not
enough. Just wondering if anyone knows of any documentation and/or
sample
code pertaining to Darwin's kernel auditing support.
Can you better define "auditing". It can me slightly different things
to different folks.
I'm new to this sort of thing (working with the kernel), so please
forgive
my newbieness. :-)
I'm looking for information about that which is within
/usr/include/sys/audit.h (from Mac OS X 10.3.2). I see various
routines such
as audit(), auditon(), auditsvc(), and auditctl(). I see data
structures
like au_record_t, auditinfo_addr_t, and auditinfo_t. I see constants
like
AUDIT_CNT, A_GETPOLICY, and AUDIT_RECORD_MAGIC. I'm looking for
sample code
or, preferably, documentation about everything within sys/audit.h...
functions, data structures, constants.
You'll get most of these things when audit (as defined in these headers/sources) is fully supported in the Darwin kernel. For now, you are looking at the shell of an implementation - (e.g. a work-in-progress). In particular, the kernel currently constructs audit records of its own, and accepts audit records from user space, but doesn't have any code to "do anything" with those records. You'll have to wait for that (it is being worked on, but no release times can be committed to at this point). The general gist of the audit support can be gleaned by looking at the Solaris BSM design. The goal of Darwin audit is to be (at least loosely) compatible with that approach (working from just public information). --Jim [demime 0.98b removed an attachment of type application/pkcs7-signature which had a name of smime.p7s] _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.
participants (1)
-
Jim Magee