Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Feb 2006 00:36:15 +0000 (GMT)
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Mike Jakubik <mikej@rogers.com>
Cc:        trustedbsd-audit@TrustedBSD.org, =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu>, current@FreeBSD.org
Subject:   Re: HEADS UP: Audit integration into CVS in progress, some tree disruption
Message-ID:  <20060202003229.N87763@fledge.watson.org>
In-Reply-To: <43E14C53.3060400@rogers.com>
References:  <20060201221213.L87763@fledge.watson.org> <43E134AB.8000600@t-hosting.hu> <20060201222704.G87763@fledge.watson.org> <43E14C53.3060400@rogers.com>

next in thread | previous in thread | raw e-mail | index | archive | help
  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1008067053-1138840575=:87763
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE


On Wed, 1 Feb 2006, Mike Jakubik wrote:

> Robert Watson wrote:
>>=20
>> On Wed, 1 Feb 2006, K=F6vesd=E1n G=E1bor wrote:
>>=20
>>> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcomin=
g=20
>>> 6.1? Or only for 6.2 or later?
>>=20
>> It depends a bit how well this shakes out.  The code is definitely still=
=20
>> "experimental", in that the set of events audited is not yet complete.=
=20
>> There are three general sorts of weaknesses in the set of events current=
ly=20
>> audited:
>> With all this in mind, it is not yet ruled out that we could ship initia=
l=20
>> "experimental" audit support in 6.1-RELEASE.  In fact, the timing is=20
>> currently such that it will be possible, assuming all goes well, and=20
>> allowing for the fact that it really will be an experimental feature and=
=20
>> not production feature in 6.1.  We were quite careful to merge the=20
>> necessary ABI changes to RELENG_6 before the 6.0 release so that merging=
 it=20
>> would be possible without breaking existing 6.x device drivers.
>
> Personally, i would like to see less "experimental" code in 6.1. Perhaps =
it=20
> would be better to wait until everyone feels the code is ready?

Audit is a feature optionally compiled into the kernel -- the goal of=20
providing it via RELENG_6, if we decide to go that way, would be to allow=
=20
early adopters to compile in the option if they needed to use it.  The main=
=20
things standing between us and a merge to RELENG_6 is making sure that file=
=20
formats are finalized, in order to prevent backward/forward incompatibiliti=
es=20
being introduced.  Without the code compiled into the kernel, the audit sys=
tem=20
is completely disabled, although the command line tools to process audit lo=
gs=20
from audit-enabled systems will be present and will operate.  I agree that=
=20
caution is required -- on the other hand, audit is a feature that can be=20
incrementally improved as time goes by as long as the basic framework (whic=
h=20
has not changed significantly in several months) works properly.  The main=
=20
things remaining to be added are capturing of additional information, which=
=20
will not change the basic file format.  Even without the additional=20
information captured, audit is still very useful.

All that said -- we'll see where things sit in a couple of weeks, and as=20
reports of more widespread use come in.

Robert N M Watson
--0-1008067053-1138840575=:87763--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060202003229.N87763>