TrustedBSD status from Oct-Dec 2003
Ilmar S. Habibulin
ilmar at watson.org
Tue Mar 2 10:15:27 GMT 2004
On Fri, 13 Feb 2004, Robert Watson wrote:
> A partial implementation of Audit appears in the open source Darwin 7
> kernel tree. You can peruse that at:
>
> http://fxr.watson.org/fxr/source/?v=DARWIN7
>
> I've done a partial port of the partial implementation to the
> trustedbsd_audit2 branch, which you can peruse using:
>
> http://perforce.freebsd.org/dtb.cgi?FSPC=depot/projects/trustedbsd/audit2&HIDEDEL=NO
I've tried to use both sources and integrate audit2 into mac branch, using
cut-n-paste technology. But not everything was ported from Darwin to
FreeBSD. I mean syscall audit mechanism. There are fucntions, that should
initialize syscall audit record and commit it to some queue or storage,
but they are not called. If i'm wrong, can you point me where should i
find calls of audit_syscall_enter() and audit_syscall_exit(). I suppose
they must be called from trap.c syscall() function for i386 architecture?
btw - imho, it is the best approach. just mark audited syscall, get any
info you can get, and sort it out in userland. You needn't modify each
syscall to make it init audit record, construct it and commit. Only
syscall()-like functions for each supported architecture should be
modified.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list