Date: Fri, 17 Nov 2006 20:28:45 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: trustedbsd-audit@freebsd.org Subject: firewall audit records Message-ID: <20061117200831.S18512@maildrop.int.zabbadoz.net>
next in thread | raw e-mail | index | archive | help
Hi, I chatted with Robert Watson about firewall audit records at EuroBSDCon. There were some basic questions coming up that I'd like to put up for discussion: - how to decide what rules one wants auditing enabled for? for example adding an "audit" flag to a rule and generate records for matches [implying the question who might do or change that]. - what to put into the audit record? protocol / rule number / addresses / deny|permit|log / ... this is especially interesting as different firewalls may provide different data and different rules/protocols may have different payload. What kind of payload - if at all - should be in the audit record? - how to reliably generate audit records? usually one pre-allocates memory for the audit record and uses flags like M_WAITOK. This might not be feasible for (high bandwidth) network traffic passing the firewall. /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061117200831.S18512>