Date: Thu, 2 Feb 2006 00:36:15 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Mike Jakubik <mikej@rogers.com> Cc: trustedbsd-audit@TrustedBSD.org, =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu>, current@FreeBSD.org Subject: Re: HEADS UP: Audit integration into CVS in progress, some tree disruption Message-ID: <20060202003229.N87763@fledge.watson.org> In-Reply-To: <43E14C53.3060400@rogers.com> References: <20060201221213.L87763@fledge.watson.org> <43E134AB.8000600@t-hosting.hu> <20060201222704.G87763@fledge.watson.org> <43E14C53.3060400@rogers.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1008067053-1138840575=:87763 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Wed, 1 Feb 2006, Mike Jakubik wrote: > Robert Watson wrote: >>=20 >> On Wed, 1 Feb 2006, K=F6vesd=E1n G=E1bor wrote: >>=20 >>> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcomin= g=20 >>> 6.1? Or only for 6.2 or later? >>=20 >> It depends a bit how well this shakes out. The code is definitely still= =20 >> "experimental", in that the set of events audited is not yet complete.= =20 >> There are three general sorts of weaknesses in the set of events current= ly=20 >> audited: >> With all this in mind, it is not yet ruled out that we could ship initia= l=20 >> "experimental" audit support in 6.1-RELEASE. In fact, the timing is=20 >> currently such that it will be possible, assuming all goes well, and=20 >> allowing for the fact that it really will be an experimental feature and= =20 >> not production feature in 6.1. We were quite careful to merge the=20 >> necessary ABI changes to RELENG_6 before the 6.0 release so that merging= it=20 >> would be possible without breaking existing 6.x device drivers. > > Personally, i would like to see less "experimental" code in 6.1. Perhaps = it=20 > would be better to wait until everyone feels the code is ready? Audit is a feature optionally compiled into the kernel -- the goal of=20 providing it via RELENG_6, if we decide to go that way, would be to allow= =20 early adopters to compile in the option if they needed to use it. The main= =20 things standing between us and a merge to RELENG_6 is making sure that file= =20 formats are finalized, in order to prevent backward/forward incompatibiliti= es=20 being introduced. Without the code compiled into the kernel, the audit sys= tem=20 is completely disabled, although the command line tools to process audit lo= gs=20 from audit-enabled systems will be present and will operate. I agree that= =20 caution is required -- on the other hand, audit is a feature that can be=20 incrementally improved as time goes by as long as the basic framework (whic= h=20 has not changed significantly in several months) works properly. The main= =20 things remaining to be added are capturing of additional information, which= =20 will not change the basic file format. Even without the additional=20 information captured, audit is still very useful. All that said -- we'll see where things sit in a couple of weeks, and as=20 reports of more widespread use come in. Robert N M Watson --0-1008067053-1138840575=:87763--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060202003229.N87763>