TrustedBSD Auditing Facilities (was RE: FreeBSD usage in safety-c ritical environments)

Derrell Piper ddp at electric-loft.org
Mon Oct 14 12:34:35 GMT 2002


On Friday, October 11, 2002, at 12:04 AM, Nelson, Trent . wrote:

> 	Has anyone taken a look at how Tru64 UNIX tackles auditing, or even
> enhanced security in general?

> 	The Security Integration Architecture and auditing subsystem of
> Tru64 UNIX are quiet elegant, IMO, and I believe they'd provide a good 
> basis
> for the road TrustedBSD would eventually have to travel down.

Tru64 largely followed the model that we pioneered in VMS:

http://www.openvms.compaq.com/doc/731FINAL/6346/6346PRO.HTM#a654479389

Note that VMS separately distinguishes between real-time alarms and 
file-based audits, allowing you to specify either in the ACL for a 
protected object.  This is quite handy as it allows you to enable 
auditing on a per-object basis.  VMS also allows you to create the UNIX 
equivalent of a PF_UNIX socket and receive real-time events for 
external processing (think external pager conduits).

At the time of our C2/B1 evaluation, there were no interpretations 
against audit buffer caches in any associated auditing daemon.  VMS has 
lots and lots of buffering (below the daemon there is a record 
management layer on top of a clustered file system).  We did provide a 
command line option to flush the audit buffer cache (and of course we 
periodically flushed it in the daemon).

We did have lots of discussion about what happens when the audit log 
fills up and we provided several switches to deal with that - purge 
oldest events, suspend non-critical processes until space frees up, 
crash the system.  The only option the NCSC really insisted upon was 
the crash option.

I would agree with the general assessment that Tru64's auditing 
implementation is pretty good, at least from the documentation.  I 
haven't really used Tru64 since when it was OSF/1.  :-)

Is there a whitepaper for what's being planned for TrustedBSD?

Derrell


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message



More information about the trustedbsd-audit mailing list