PERFORCE change 63119 for review

[Andrew R. Reiter]

On Sun, 17 Oct 2004, Wayne Salamon wrote:

:On Oct 13, 2004, at 11:07 AM, Andrew R. Reiter wrote:
:
:> Is this p4 tree available via cvsup?  If so, just curious if you could
:> let me know the label.  I'd like to help out where I can.
:>
:   I think you have access to the branch now.
:
:   Here's a quick TODO list (I cc'ing the audit list for other's to
:consider)

Ok, great.  I'll attempt to get my tree setup today and begin code review.


:
:1) Lots of system calls need auditing. Some are going to be fairly
:mechanical, using straight-forward audit record. For others, we may
:have to come up with new record types.
:2) The audit daemon needs work; log rotation doesn't always work
:correctly. This is next on my list.
:3) Integration of later TrustedBSD code.
:4) Pathname lookup. The audit code uses vn_fullpath(), which isn't
:always successful.
:5) Test programs. I have a suite of code that exercises system calls
:and checks the audit log ,, but more would be nice, especially for
:stress testing.
:6) Not all of the commands for the auditon() system call are
:implemented.
:7) Code cleanup, removal of Darwin commentary, etc.
:8) XXX comments, some involve locking questions, need resolution.
:
:Most of the kernel infrastructure is in place. Audit records are
:written, event->class mappings work, some calls are audited,
:preselection works, and the kernel->auditd IPC mechanism works. Also,
:the kernel calls for audit log rotation and detects a near full
:filesystem, notifying the audit daemon of those events.
:
:I'm swamped for the next few weeks at work, but will try to poke at
:some of these issues. Any assistance is greatly appreciated.
:
:Thanks,
:--------------------------
:Wayne Salamon
:wsalamon at freebsd.org
:

--
Andrew R. Reiter
arr at watson.org
arr at FreeBSD.org
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message