From owner-freebsd-current@FreeBSD.ORG Thu May 8 13:08:09 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88AF1106566C for ; Thu, 8 May 2008 13:08:09 +0000 (UTC) (envelope-from jbondc@openmv.com) Received: from mail.ca.gdesolutions.com (mail.ca.gdesolutions.com [64.15.152.204]) by mx1.freebsd.org (Postfix) with ESMTP id 4F4698FC21 for ; Thu, 8 May 2008 13:08:08 +0000 (UTC) (envelope-from jbondc@openmv.com) Received: from localhost (localhost [127.0.0.1]) by mail.ca.gdesolutions.com (Postfix) with ESMTP id B264A5C1E; Thu, 8 May 2008 09:08:07 -0400 (EDT) X-Virus-Scanned: amavisd-new at gdesolutions.com Received: from mail.ca.gdesolutions.com ([127.0.0.1]) by localhost (mail.ca.gdesolutions.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDhC-2zPJi0s; Thu, 8 May 2008 09:08:05 -0400 (EDT) Received: from jbondc (modemcable158.97-203-24.mc.videotron.ca [24.203.97.158]) by mail.ca.gdesolutions.com (Postfix) with ESMTP id 123165C1C; Thu, 8 May 2008 09:08:05 -0400 (EDT) From: "Jonathan Bond-Caron" To: "'Robert Watson'" References: <000601c8b044$a4616490$ed242db0$@com> <20080508001926.A37487@fledge.watson.org> In-Reply-To: <20080508001926.A37487@fledge.watson.org> Date: Thu, 8 May 2008 09:08:04 -0400 Message-ID: <000901c8b10c$8da565d0$a8f03170$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciwmXKlbD/bgZOkQgmQYIVcxmAx9AAcfPgw Content-Language: en-ca X-Mailman-Approved-At: Thu, 08 May 2008 13:14:02 +0000 Cc: freebsd-current@freebsd.org Subject: RE: Freebsd auditing in 7.0? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2008 13:08:09 -0000 Thanks for the information, I'd definitely be testing audit on 7.0 And great paper! I really enjoyed the read -----Original Message----- From: Robert Watson [mailto:rwatson@FreeBSD.org] Sent: May 7, 2008 7:24 PM To: Jonathan Bond-Caron Cc: freebsd-current@freebsd.org Subject: Re: Freebsd auditing in 7.0? On Wed, 7 May 2008, Jonathan Bond-Caron wrote: > I recently read this paper: > http://www.trustedbsd.org/20060303-ukuug2006lisa-audit.pdf > > I'm wondering if there are any new features in 7.0 for auditing freebsd and > if audit is included in the base? Changes between audit as shipped in 6.2 and 7.0 are largely incremental -- support for printing audit records as XML, better support for emulation environments such as 32-bit binaryes on 64-bit systems, Linux-emulated binaries, improved IPv6 support, etc. > I've been using syslog-ng on 6.2 for some time but audit looks more rigorous > to track system events & changes. Are there auditing options in 7.0 that > allow sending logs to a central server over SSL? Or any recommendations > other then syslog-ng? > > The goal is track more system events & centralize the log files at a central > server. Last year we had a GSoC project looking at distributed auditing, but I'm not sure there was a usable end result (perhaps someone else can point us at it if so). I'm aware of one on-going project looking at SSL-enabled distributed log parts, but I'm not sure if the author is willing to turn himself in as-yet. Perhaps soon :-). I would certainly anticipate that this is a feature we will ship in the future, but any dates would be hand-waving at this point, unfortunately. Robert N M Watson Computer Laboratory University of Cambridge