Selectively monitoring of 'information flow' events??

Marcin Koziej creep at desk.pl
Sun Nov 20 14:19:53 GMT 2005


Hi,
I'm working on intelligent intrusion detection system for 
academic/educational purposes. The labeled objects with information flow 
model in TrustedBSD would really be very usefull in my research.

I'd like to plug into TrustedBSD framework and get records:
source -information flow-> destination, possibly being able to change 
monitoring selectively by changing the labels (eg: interest level)

It seems OpenBSM is not for me (It gathers information from cooperating 
applications).
Maybe I couls write a MAC policy based on src/sys/security/mac_* which 
gathers information into a cyclic buffer for userland to read from later?
Meybe there is an audit function already which provites this feature?

Could You provide me with Your reflections on this topic and/or pointers 
to documents/source code.


Thank You for Your time,
Best regards,
Marcin Koziej
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message



More information about the trustedbsd-audit mailing list