TrustedBSD Auditing Facilities (was RE: FreeBSD usage in safety-c ritical environments)
Derrell Piper
ddp at electric-loft.org
Mon Oct 14 12:34:35 GMT 2002
On Friday, October 11, 2002, at 12:04 AM, Nelson, Trent . wrote:
> Has anyone taken a look at how Tru64 UNIX tackles auditing, or even
> enhanced security in general?
> The Security Integration Architecture and auditing subsystem of
> Tru64 UNIX are quiet elegant, IMO, and I believe they'd provide a good
> basis
> for the road TrustedBSD would eventually have to travel down.
Tru64 largely followed the model that we pioneered in VMS:
http://www.openvms.compaq.com/doc/731FINAL/6346/6346PRO.HTM#a654479389
Note that VMS separately distinguishes between real-time alarms and
file-based audits, allowing you to specify either in the ACL for a
protected object. This is quite handy as it allows you to enable
auditing on a per-object basis. VMS also allows you to create the UNIX
equivalent of a PF_UNIX socket and receive real-time events for
external processing (think external pager conduits).
At the time of our C2/B1 evaluation, there were no interpretations
against audit buffer caches in any associated auditing daemon. VMS has
lots and lots of buffering (below the daemon there is a record
management layer on top of a clustered file system). We did provide a
command line option to flush the audit buffer cache (and of course we
periodically flushed it in the daemon).
We did have lots of discussion about what happens when the audit log
fills up and we provided several switches to deal with that - purge
oldest events, suspend non-critical processes until space frees up,
crash the system. The only option the NCSC really insisted upon was
the crash option.
I would agree with the general assessment that Tru64's auditing
implementation is pretty good, at least from the documentation. I
haven't really used Tru64 since when it was OSF/1. :-)
Is there a whitepaper for what's being planned for TrustedBSD?
Derrell
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list