event auditing

[richard offer]

* frm thenamelessone at abacho.de "08/03/01 18:42:38 +0200" | sed '1,$s/^/* /'
*
* an idea for making event auditing extensible:
* there are some defined events. you can enable or
* disable the events.this means that an action will
* happen if the event occurs or nothing will happen.
* the action can also be defined.perhaps only a message
* an user-level security manager shall be sent and the
* manager decides what to do.
* 

You really want the kernel to decide whether to record or throw away the
audit record, audit will generate a huge ammount of data, passing all that
up to userland only to throw away 99% of it is sub-optimal.

Note that there are requirements for audit event selection, both pass and
fail must be independently selectable.

richard.

-----------------------------------------------------------------------
Richard Offer                     Technical Lead, Trust Technology, SGI
"Specialization is for insects"
_______________________________________________________________________


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message