From owner-freebsd-security  Mon Oct 15  7:19:44 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9BA8537B40B; Mon, 15 Oct 2001 07:19:39 -0700 (PDT)
Received: from localhost (arr@localhost)
	by fledge.watson.org (8.11.6/8.11.5) with SMTP id f9FEJG095941;
	Mon, 15 Oct 2001 10:19:16 -0400 (EDT)
	(envelope-from arr@watson.org)
Date: Mon, 15 Oct 2001 10:19:15 -0400 (EDT)
From: "Andrew R. Reiter" <arr@watson.org>
To: "Ilmar S. Habibulin" <ilmar@watson.org>
Cc: Kris Kennaway <kris@obsecurity.org>,
	Maxim Sobolev <sobomax@FreeBSD.ORG>, kris@FreeBSD.ORG,
	security@FreeBSD.ORG
Subject: Re: Recent major changes in the NetBSD audit system
In-Reply-To: <Pine.BSF.3.96.1011015041913.91974B-100000@fledge.watson.org>
Message-ID: <Pine.NEB.3.96L.1011015101433.95862A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


In general, the specifics of 12th of October audit system change would be
covered by the trustedbsd audit system since we're doing much more fine
grained auditing than that is being done here in NetBSD.  Pulling specific
information, such as that listed in the url below, would be the job of the
pre/post selected audited records and the person who configures that.  

I see the importance of what they are doing, but I also feel that they are
going the tripwire route -- which is flawed since it relies on trusting
hte kernel for valid information.  

Andrew

On Mon, 15 Oct 2001, Ilmar S. Habibulin wrote:

:
:
:On Sat, 13 Oct 2001, Kris Kennaway wrote:
:
:> > FYI: http://www.netbsd.org/Changes/#audit-011013
:> Looks cool.  Anyone want to port it over?
:I think it should be review as part of TrustedBSD audit subsystem.
:
:
:
:To Unsubscribe: send mail to majordomo@FreeBSD.org
:with "unsubscribe freebsd-security" in the body of the message
:

*-------------.................................................
| Andrew R. Reiter 
| arr@fledge.watson.org
| "It requires a very unusual mind
|   to undertake the analysis of the obvious" -- A.N. Whitehead


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message