audit question (fwd)
Andrew R. Reiter
arr at FreeBSD.org
Thu Nov 15 23:51:20 GMT 2001
On Thu, 15 Nov 2001, richard offer wrote:
:
:I personally believe that an audit record should be self contained. It
:should not need any external "mapping" to decypher it. Its just one more
:thing that needs to be kept in-sync with kernel changes. Records are small
:enough that it seems like complication with limited pay-off.
Ok.
:
:A record should not contain any information that is relative to a
:preceeding record. If you lose the magic record you've just made your
:entire log worthless (at least for any subsequent legal actions). How do
:you handle log rotations ?
This is not what I meant :-) Essentially, I basically am interested in
just doing some analysis on logs so that I can figure out some figures on
the number of _RELATED_ records generated (ie, the pathname used inthe
record is similar (same parent?) as the previous records) so that I may
see if it's worth designing a small and simple primary cache for faster
lookups with audit record creation.
Andrew
--
Andrew R. Reiter
arr at watson.org
arr at FreeBSD.org
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list