BSM audit on Mac OS X

R. Tyler Ballance tyler at bleepsoft.com
Thu Sep 28 22:16:45 PDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sep 27, 2006, at 1:22 PM, benjamin.morin wrote:

> Hi,
>
> I would be interested in monitoring system calls on Mac OS X (for  
> intrusion detection purpose).
>
> I have tried to compile trustedbsd-audit (package openbsm-1.0- 
> alpha12.tgz) on a mac mini (Mac OS 10.4.7, powerpc-apple-darwin8- 
> gcc-4.0.0 (GCC) 4.0.0 20041026 (Apple Computer, Inc. build 4061)).
>
> The compilation fails with the following message :
>
> auditfilterd.c: In function 'mainloop_file':
> auditfilterd.c:200: error: 'CLOCK_REALTIME' undeclared (first use  
> in this function)
> auditfilterd.c:200: error: (Each undeclared identifier is reported  
> only once
> auditfilterd.c:200: error: for each function it appears in.)
> auditfilterd.c: In function 'mainloop_pipe':
> auditfilterd.c:250: error: 'CLOCK_REALTIME' undeclared (first use  
> in this function)
> make[2]: *** [auditfilterd.o] Error 1
> make[1]: *** [all-recursive] Error 1
> make: *** [all-recursive] Error 1
>
> Is this "normal"?
>
> Thanks for any help,

Heh, this was one of the first things I hit when I was starting to  
work on openbsm/Darwin, the FreeBSD kernel has a few different  
options for fetching the time from the kernel, but Xnu doesn't, so  
the quickest solution IMHO was just to call out to the standard libc,  
and form a response that auditfilterd.c wants, I've not tested, but  
it compiles, and that's all that's really important anyways right? ;)

My solution was to add a header compat/kernel_time.h  ( http:// 
perforce.freebsd.org/fileViewer.cgi?FSPC=//depot/user/tyler/openbsm/ 
compat/kernel%5ftime.h&REV=3 ) and then include that in auditfilterd.c

It *should* work, but I can't do much testing on my single intel iMac  
for openbsm and auditing at the moment because I'm busy with  
contracts and I'm scared to hose my work computer ;)

Cheers,

- -R. Tyler Ballance

p.s. just CC'ing this to the list just for grins :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFHKwtqO6nEJfroRsRAqMaAJ9i78dA9F8u1IZAV7jSiYDhLSyMngCcDZXW
8jLjIZXqAiq7pLDiMcyPUro=
=6j4a
-----END PGP SIGNATURE-----

More information about the trustedbsd-audit mailing list