Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Nov 2006 20:28:45 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        trustedbsd-audit@freebsd.org
Subject:   firewall audit records
Message-ID:  <20061117200831.S18512@maildrop.int.zabbadoz.net>

next in thread | raw e-mail | index | archive | help
Hi,

I chatted with Robert Watson about firewall audit records at
EuroBSDCon.

There were some basic questions coming up that I'd like to put up for
discussion:

- how to decide what rules one wants auditing enabled for?
   for example adding an "audit" flag to a rule and generate records
   for matches [implying the question who might do or change that].

- what to put into the audit record?
   protocol / rule number / addresses / deny|permit|log / ...
   this is especially interesting as different firewalls may
   provide different data and different rules/protocols may have
   different payload. What kind of payload - if at all - should
   be in the audit record?

- how to reliably generate audit records?
   usually one pre-allocates memory for the audit record and uses
   flags like M_WAITOK. This might not be feasible for (high
   bandwidth) network traffic passing the firewall.


/bz

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061117200831.S18512>