Freebsd auditing in 7.0?

[Jonathan Bond-Caron]

Thanks for the information, I'd definitely be testing audit on 7.0

And great paper! I really enjoyed the read

-----Original Message-----
From: Robert Watson [mailto:rwatson at FreeBSD.org] 
Sent: May 7, 2008 7:24 PM
To: Jonathan Bond-Caron
Cc: freebsd-current at freebsd.org
Subject: Re: Freebsd auditing in 7.0?


On Wed, 7 May 2008, Jonathan Bond-Caron wrote:

> I recently read this paper: 
> http://www.trustedbsd.org/20060303-ukuug2006lisa-audit.pdf
>
> I'm wondering if there are any new features in 7.0 for auditing freebsd
and 
> if audit is included in the base?

Changes between audit as shipped in 6.2 and 7.0 are largely incremental -- 
support for printing audit records as XML, better support for emulation 
environments such as 32-bit binaryes on 64-bit systems, Linux-emulated 
binaries, improved IPv6 support, etc.

> I've been using syslog-ng on 6.2 for some time but audit looks more
rigorous 
> to track system events & changes. Are there auditing options in 7.0 that 
> allow sending logs to a central server over SSL? Or any recommendations 
> other then syslog-ng?
>
> The goal is track more system events & centralize the log files at a
central 
> server.

Last year we had a GSoC project looking at distributed auditing, but I'm not

sure there was a usable end result (perhaps someone else can point us at it
if 
so).  I'm aware of one on-going project looking at SSL-enabled distributed
log 
parts, but I'm not sure if the author is willing to turn himself in as-yet. 
Perhaps soon :-). I would certainly anticipate that this is a feature we
will 
ship in the future, but any dates would be hand-waving at this point, 
unfortunately.

Robert N M Watson
Computer Laboratory
University of Cambridge