From owner-freebsd-security Mon Sep 20 9:36:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 619C614C07 for ; Mon, 20 Sep 1999 09:36:15 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id KAA27186; Mon, 20 Sep 1999 10:36:10 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id KAA01106; Mon, 20 Sep 1999 10:36:09 -0600 Date: Mon, 20 Sep 1999 10:36:09 -0600 Message-Id: <199909201636.KAA01106@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: jobe@attrition.org (Jobe), security@FreeBSD.ORG Subject: Re: Real-time alarms In-Reply-To: <199909200629.XAA57821@gndrsh.dnsmgr.net> References: <199909200629.XAA57821@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Myself, I like the idea of how bpf handles the filtering side. Compile > up an expression and shove it into the kernel so you minimize copy out > operations. FWIW, I agree completely, and actually looked a bit into this. However, figuring out how to do that in the as-yet mostly unspecified audit records is time-consuming. Let's get it working first, then see what falls out, including a potential re-write of the entire auditing record so that 'apf' can be implemented. :) (As a point of reference, Solaris 'claims' to have kernel level filtering, but it turns out that it just sets a 'flag' in the audit record that tells the userland program whether or not the user asked for this record, so the filtering is done at userland. *blah*) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message