event auditing
Andrew R. Reiter
arr at watson.org
Fri Aug 3 19:57:59 GMT 2001
I've been really busy and unable to make progress on any audit work, so
what I have so far, which I've mailed the url to multiple times, is at:
http://www.watson.org/~arr/trustedbsd-audit/
...
On Fri, 3 Aug 2001, richard offer wrote:
>
>
> * frm thenamelessone at abacho.de "08/03/01 18:42:38 +0200" | sed '1,$s/^/* /'
> *
> * an idea for making event auditing extensible:
> * there are some defined events. you can enable or
> * disable the events.this means that an action will
> * happen if the event occurs or nothing will happen.
> * the action can also be defined.perhaps only a message
> * an user-level security manager shall be sent and the
> * manager decides what to do.
> *
>
> You really want the kernel to decide whether to record or throw away the
> audit record, audit will generate a huge ammount of data, passing all that
> up to userland only to throw away 99% of it is sub-optimal.
>
> Note that there are requirements for audit event selection, both pass and
> fail must be independently selectable.
>
> richard.
>
> -----------------------------------------------------------------------
> Richard Offer Technical Lead, Trust Technology, SGI
> "Specialization is for insects"
> _______________________________________________________________________
>
>
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-discuss" in the body of the message
>
*-------------.................................................
| Andrew R. Reiter
| arr at fledge.watson.org
| "It requires a very unusual mind
| to undertake the analysis of the obvious" -- A.N. Whitehead
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list