本文讲的是
如何使用OpenBSM对macOS进行实时审计?,
介绍
$ cat /etc/security/audit_control # # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $ # dir:/var/audit flags:lo,aa minfree:5 naflags:lo,aa policy:cnt,argv filesz:2M expire-after:10M superuser-set-sflags-mask:has_authenticated,has_console_access superuser-clear-sflags-mask:has_authenticated,has_console_access member-set-sflags-mask: member-clear-sflags-mask:has_authenticated
$ cat /etc/security/audit_class # # $P4: //depot/projects/trustedbsd/openbsm/etc/audit_class#6 $ # 0x00000000:no:invalid class 0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000008:fm:file attribute modify 0x00000010:fc:file create 0x00000020:fd:file delete 0x00000040:cl:file close 0x00000080:pc:process 0x00000100:nt:network 0x00000200:ip:ipc 0x00000400:na:non attributable 0x00000800:ad:administrative 0x00001000:lo:login_logout 0x00002000:aa:authentication and authorization 0x00004000:ap:application 0x20000000:io:ioctl 0x40000000:ex:exec 0x80000000:ot:miscellaneous 0xffffffff:all:all flags set
au_read_rec() int au_read_rec(FILE *fp, u_char **buf);
au_fetch_tok() int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
au_print_tok() void au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
au_print_flags_tok() void au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags)
1. 通过fopen()打开文件(通常是审计管道),并通过调用au_read_rec()从文件的缓冲区打印记录。 2. 通过调用缓冲区上的au_fetch_tok(),为每个记录读取每个令牌 3. 调用au_print_flags_tok()将每个令牌打印到输出流,如stdout。 4. 释放缓冲区 5. 关闭打开的文件
安装
gcc -lbsm filewatcher.c lib/*.c -o bin/filewatche
$ sudo ./bin/filewatcher -h filewatcher - a simple auditing utility for macOS Usage: ./bin/filewatcher [OPTIONS] -f, --file Set a file to filter -h, --process Set a process name to filter -a, --all Display all events (By default only basic events like open/read/write are displayed) -d, --debug Enable debugging messages to be saved into a file -h, --help Print this help and exit
原文发布时间为:2017年7月10日
本文作者:愣娃
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。