From owner-freebsd-stable  Sat Jan  5 13:38:31 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from winston.freebsd.org (adsl-64-173-15-98.dsl.sntc01.pacbell.net [64.173.15.98])
	by hub.freebsd.org (Postfix) with ESMTP
	id BDCEA37B400; Sat,  5 Jan 2002 13:38:22 -0800 (PST)
Received: from winston.freebsd.org (jkh@localhost [127.0.0.1])
	by winston.freebsd.org (8.11.6/8.11.6) with ESMTP id g05Lc6E25232;
	Sat, 5 Jan 2002 13:38:07 -0800 (PST)
	(envelope-from jkh@winston.freebsd.org)
To: Brett Glass <brett@lariat.org>
Cc: Archie Cobbs <archie@dellroad.org>, stable@FreeBSD.ORG,
	re@FreeBSD.ORG
Subject: Re: Could someone commit the change suggested in PR bin/32420? 
In-Reply-To: Message from Brett Glass <brett@lariat.org> 
   of "Sat, 05 Jan 2002 01:00:33 MST." <4.3.2.7.2.20020105005950.00db4f00@localhost> 
Date: Sat, 05 Jan 2002 13:38:06 -0800
Message-ID: <25228.1010266686@winston.freebsd.org>
From: Jordan Hubbard <jkh@winston.freebsd.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Of course, collecting log data for analysis from syslog is pretty
low-tech when it comes to detecting and/or stopping attacks in
real-time and I'd hope this wouldn't be encouraged as a general
practice.  If that's your aim then you should be campaigning for a
/dev/audit device and the instrumenting of suitable logpoints in the
kernel and various utilities.  Then your stuff just opens /dev/audit,
registers an event selection mask with it, and goes to sleep waiting
for events.

- Jordan

> At 12:37 AM 1/5/2002, Archie Cobbs wrote:
> 
> >Interesting, I was just thinking of the same thing today.
> 
> In that case, you'll probably like the paper I'm presenting
> at BSDCon.
> 
> >I just commited a fix to -current.. if the re approves I can MFC it too.
> 
> Wonderful! Thank you....
> 
> --Brett
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message