From owner-trustedbsd-audit@FreeBSD.ORG  Fri Nov 17 20:29:40 2006
Return-Path: <owner-trustedbsd-audit@FreeBSD.ORG>
X-Original-To: trustedbsd-audit@freebsd.org
Delivered-To: trustedbsd-audit@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CE40F16A47E
	for <trustedbsd-audit@freebsd.org>;
	Fri, 17 Nov 2006 20:29:40 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 83E6043D9E
	for <trustedbsd-audit@freebsd.org>;
	Fri, 17 Nov 2006 20:29:20 +0000 (GMT)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from transport.cksoft.de (localhost [127.0.0.1])
	by transport.cksoft.de (Postfix) with ESMTP id 727D820014D
	for <trustedbsd-audit@freebsd.org>;
	Fri, 17 Nov 2006 21:29:19 +0100 (CET)
Received: by transport.cksoft.de (Postfix, from userid 66)
	id 592B8200146; Fri, 17 Nov 2006 21:29:13 +0100 (CET)
Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net
	[10.111.66.10])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.int.zabbadoz.net (Postfix) with ESMTP id 8265B444889
	for <trustedbsd-audit@freebsd.org>;
	Fri, 17 Nov 2006 20:28:45 +0000 (UTC)
Date: Fri, 17 Nov 2006 20:28:45 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
X-X-Sender: bz@maildrop.int.zabbadoz.net
To: trustedbsd-audit@freebsd.org
Message-ID: <20061117200831.S18512@maildrop.int.zabbadoz.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de
Cc: 
Subject: firewall audit records
X-BeenThere: trustedbsd-audit@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD Audit Discussion List <trustedbsd-audit.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-audit>
List-Post: <mailto:trustedbsd-audit@FreeBSD.org>
List-Help: <mailto:trustedbsd-audit-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2006 20:29:40 -0000

Hi,

I chatted with Robert Watson about firewall audit records at
EuroBSDCon.

There were some basic questions coming up that I'd like to put up for
discussion:

- how to decide what rules one wants auditing enabled for?
   for example adding an "audit" flag to a rule and generate records
   for matches [implying the question who might do or change that].

- what to put into the audit record?
   protocol / rule number / addresses / deny|permit|log / ...
   this is especially interesting as different firewalls may
   provide different data and different rules/protocols may have
   different payload. What kind of payload - if at all - should
   be in the audit record?

- how to reliably generate audit records?
   usually one pre-allocates memory for the audit record and uses
   flags like M_WAITOK. This might not be feasible for (high
   bandwidth) network traffic passing the firewall.


/bz

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT