From owner-freebsd-security  Tue Jul 17 10:58:10 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 582B137B409
	for <freebsd-security@FreeBSD.ORG>; Tue, 17 Jul 2001 10:58:06 -0700 (PDT)
	(envelope-from arr@watson.org)
Received: from localhost (arr@localhost)
	by fledge.watson.org (8.11.4/8.11.4) with SMTP id f6HHuQZ44533;
	Tue, 17 Jul 2001 13:56:27 -0400 (EDT)
	(envelope-from arr@watson.org)
Date: Tue, 17 Jul 2001 13:56:26 -0400 (EDT)
From: "Andrew R. Reiter" <arr@watson.org>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Jason DiCioccio <jdicioccio@epylon.com>,
	"'Artur Meski'" <glash@freebsd.net.pl>, freebsd-security@FreeBSD.ORG,
	robert@watson.org
Subject: Re: Exec logging, FreeBSD Kernel Module.
In-Reply-To: <20010717095535.A78558@xor.obsecurity.org>
Message-ID: <Pine.NEB.3.96L.1010717135000.44228B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I basically got a 0 response to my initial SPY reply, so I will attempt to
mention it here again, and throw Robert's name on it.


AFAIK, at USENIX there was a BoF for those working on kernel related
security features (Trusted patch sets, other) to speak their minds on 1)
what they were doing and 2) to attempt to start to come up with some sort
of cross-OS standard for having "hooks" into kernel code.  This would
allow for easy coding of kernel related features that could be cross-OS
allowing for only recoding of possible OS specific pieces (which would be
greatly lessened after this standard interface was in place).

Anyway, what I had been wondering was whether or not there were some
useful conclusions actually made from that BoF...  These would be useful
in something like SPY -- or some work that Im doing -- so that they can
attempt to conform to a standard from the beginning.

Anyone have any thoughts on 1) what happened at hte BoF and 2) future of
kernel hook standards in fbsd?


Andrew



On Tue, 17 Jul 2001, Kris Kennaway wrote:

> On Tue, Jul 17, 2001 at 09:37:22AM -0700, Jason DiCioccio wrote:
> >  
> > Try reading up on process accounting :-)
> 
> Process accounting isn't intended as a security audit feature.
> 
> Kris
> 

*-------------.................................................
| Andrew R. Reiter 
| arr@fledge.watson.org
| "It requires a very unusual mind
|   to undertake the analysis of the obvious" -- A.N. Whitehead


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message