From owner-freebsd-security Mon Sep 20 12: 1: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 631CC15377 for ; Mon, 20 Sep 1999 12:01:01 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA60130; Mon, 20 Sep 1999 11:59:32 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199909201859.LAA60130@gndrsh.dnsmgr.net> Subject: Re: Real-time alarms In-Reply-To: <199909201708.LAA01364@mt.sri.com> from Nate Williams at "Sep 20, 1999 11:08:11 am" To: nate@mt.sri.com (Nate Williams) Date: Mon, 20 Sep 1999 11:59:32 -0700 (PDT) Cc: robert+freebsd@cyrus.watson.org (Robert Watson), security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > I'd advise against developing any more codebases for auditing--we already > > > have two :-). I have a /dev/audit, submission of records from a number of > > > syscalls, an auditd + IDS interface, and some log management code. Nate's > > > folk are working on a better kernel interface and implementation, as was > > > discussed on freebsd-security in July (please see archive for details). > > > My userland library currently supports most of the posix.1e audit > > > interface spec, and I have a set of posix.1e extensions for IDS modules. > > > My hope is to adapt my auditd to speak Nate's kernel improvements, but > > > continue to provide a standard interface and useful tools/etc. > > > > URL to source code please... and I already pointed out that we need > > to at least look at what is out there. > > Robert's code exists, but we both agree it was not the most effecient > way of doing things. My code is not yet available for reasons already > stated publically. > > If/when it's to the point that it actually does something significant, > then maybe I'll put up a snapshot for public consumption, but no ^^^^^^^^^^^ > earlier. > I say that then we should move forward as if your code doesn't exist, I don't want to see this wait 3 or 4 months on a ``maybe'' some code... I understand this code is being written for SRI under employement conditions and fear it may never see the outside of SRI. I'm not saying that you should stop your input process here, but lets not hold us off for 3 months on a maybe we can get some code. There are people here today willing to start developing code in a public forum that we can be assured will be avaliable as it evolves. Open developement is part of the game... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message