sample 5.3 based trusted os ;-)
Robert Watson
rwatson at FreeBSD.org
Fri Jan 21 21:19:30 GMT 2005
On Fri, 21 Jan 2005, Martin Englund wrote:
> ilmar at watson.org wrote:
>
> >> Do you have a rough idea of what/how many syscalls you've added
> >> auditing to?
> > I'll send complete specification on audited 179 syscalls on Monday.
> >
> What audit log format will you use?
The Darwin Audit subsystem implemented by McAfee Research uses Sun's BSM
file format and largely conforms to the documented BSM APIs (subject to
some limitations in the documentation and APIs). The interfaces to set up
the audit log and retrieve information on Audit space conditions, etc, is
a bit different, as Mach IPC is used in Darwin for some of this, and a
pseudo-device in FreeBSD. (The slightly older FreeBSD port of the Apple
BSM code that Ilmar's work is based on uses a fifo to push audit subsystem
events (space notifications, etc) to user space, but that approach doesn't
work so well in recent FreeBSD kernels, as fifos are a first class object
hung off of file descriptors rather than vnodes). While I've done a
little testing to see if the FreeBSD BSM streams can be read by an older
version of Solaris's praudit tool, it's hardly extensive -- mostly just a
few sample trails to sanity check the output. I don't suppose Sun would
be interested in posting open source API and file format validation tools?
:-)
Robert N M Watson
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list