From owner-freebsd-security  Mon Sep 20 10: 8:19 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91])
	by hub.freebsd.org (Postfix) with ESMTP id DA52E1531C
	for <security@FreeBSD.ORG>; Mon, 20 Sep 1999 10:08:16 -0700 (PDT)
	(envelope-from nate@mt.sri.com)
Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id LAA27492;
	Mon, 20 Sep 1999 11:08:11 -0600 (MDT)
	(envelope-from nate@rocky.mt.sri.com)
Received: by mt.sri.com (SMI-8.6/SMI-SVR4)
	id LAA01364; Mon, 20 Sep 1999 11:08:11 -0600
Date: Mon, 20 Sep 1999 11:08:11 -0600
Message-Id: <199909201708.LAA01364@mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: robert+freebsd@cyrus.watson.org (Robert Watson),
	security@FreeBSD.ORG
Subject: Re: Real-time alarms
In-Reply-To: <199909201541.IAA59140@gndrsh.dnsmgr.net>
References: <Pine.BSF.3.96.990920112110.42321B-100000@fledge.watson.org>
	<199909201541.IAA59140@gndrsh.dnsmgr.net>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Reply-To: nate@mt.sri.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > I'd advise against developing any more codebases for auditing--we already
> > have two :-).  I have a /dev/audit, submission of records from a number of
> > syscalls, an auditd + IDS interface, and some log management code.  Nate's
> > folk are working on a better kernel interface and implementation, as was
> > discussed on freebsd-security in July (please see archive for details).
> > My userland library currently supports most of the posix.1e audit
> > interface spec, and I have a set of posix.1e extensions for IDS modules.
> > My hope is to adapt my auditd to speak Nate's kernel improvements, but
> > continue to provide a standard interface and useful tools/etc.
> 
> URL to source code please... and I already pointed out that we need
> to at least look at what is out there.  

Robert's code exists, but we both agree it was not the most effecient
way of doing things.  My code is not yet available for reasons already
stated publically.

If/when it's to the point that it actually does something significant,
then maybe I'll put up a snapshot for public consumption, but no
earlier.




Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message