Is this list dead

Casey Schaufler casey at sgi.com
Thu Sep 16 16:10:53 GMT 1999 

Robert Watson wrote:
> 
> On Thu, 16 Sep 1999, Ilmar S. Habibulin wrote:
> 
> > Subj.
> 
> Well, it's acting a little dead, but my hope is that it will not stay that
> way indefinitely.

Ya know, I had noticed that something was missing, but couldn't
quite place it. I had ascribed the lack of activity to it being
summer (my hemispheric centrisity showing!) and expected to see
things pick up once vactions wrapped up.

Starting October 1st I will have actual staffing available to
work on commercial C2 and B1 Linux distributions. I have a stated
engineering goal of C2 feature completion by 10/2000 and B1
feature completion by 4/2001. This will be fully open source.
The plan is for C2 and B1 to be regular parts of the
SGI distribution.

In addition, I have been working with some people who cannot
themselves work in public forums, including mail and news groups.
They also wish to make contributions, especially in the areas of
Mandatory Access Control, (we need a less overloaded acroynm than
"MAC". Any thoughts?) policy description, and security test suites.

> We're been redesigning how the record gathering mechanism is integrated
> into FreeBSD, as there are parallel trace mechanisms (such as ktrace) that
> serve a similar function.

Good art never borrows. It's much better to steal. Also, it's
much easier to sell audit if you can call it an extension to
an existing, well liked mechanism.
 
> I'm interested in the possibility of pinning down an IDS module
> interface--i.e., a standard API by which IDS modules can talk to a
> provider of audit records, specifying what they are interested in so as to
> make detecting events more efficient.  This would presumably include
> functions to describe interesting records, functions to retrieve the
> records when available, and functions to report events via some
> event-reporting architecture.

My understanding is that the state of the art for IDS is to suck
information out of a relational database. This seperates the security
function from the data gathering and relationship processing.
If IDS is a real concern, perhaps defining a set of relations might
be the best way to go, and design the audit records to fit nicely
into the relations.


-- 

Casey Schaufler                         voice: (650) 933-1634
casey at sgi.com                           fax:   (650) 933-0170
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list