From owner-freebsd-current@FreeBSD.ORG Thu Feb 2 00:34:20 2006 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4480F16A420 for ; Thu, 2 Feb 2006 00:34:20 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2411843D68 for ; Thu, 2 Feb 2006 00:34:18 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 8BEF846B0E; Wed, 1 Feb 2006 19:34:08 -0500 (EST) Date: Thu, 2 Feb 2006 00:36:15 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Mike Jakubik In-Reply-To: <43E14C53.3060400@rogers.com> Message-ID: <20060202003229.N87763@fledge.watson.org> References: <20060201221213.L87763@fledge.watson.org> <43E134AB.8000600@t-hosting.hu> <20060201222704.G87763@fledge.watson.org> <43E14C53.3060400@rogers.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1008067053-1138840575=:87763" Cc: trustedbsd-audit@TrustedBSD.org, =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= , current@FreeBSD.org Subject: Re: HEADS UP: Audit integration into CVS in progress, some tree disruption X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2006 00:34:20 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1008067053-1138840575=:87763 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Wed, 1 Feb 2006, Mike Jakubik wrote: > Robert Watson wrote: >>=20 >> On Wed, 1 Feb 2006, K=F6vesd=E1n G=E1bor wrote: >>=20 >>> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcomin= g=20 >>> 6.1? Or only for 6.2 or later? >>=20 >> It depends a bit how well this shakes out. The code is definitely still= =20 >> "experimental", in that the set of events audited is not yet complete.= =20 >> There are three general sorts of weaknesses in the set of events current= ly=20 >> audited: >> With all this in mind, it is not yet ruled out that we could ship initia= l=20 >> "experimental" audit support in 6.1-RELEASE. In fact, the timing is=20 >> currently such that it will be possible, assuming all goes well, and=20 >> allowing for the fact that it really will be an experimental feature and= =20 >> not production feature in 6.1. We were quite careful to merge the=20 >> necessary ABI changes to RELENG_6 before the 6.0 release so that merging= it=20 >> would be possible without breaking existing 6.x device drivers. > > Personally, i would like to see less "experimental" code in 6.1. Perhaps = it=20 > would be better to wait until everyone feels the code is ready? Audit is a feature optionally compiled into the kernel -- the goal of=20 providing it via RELENG_6, if we decide to go that way, would be to allow= =20 early adopters to compile in the option if they needed to use it. The main= =20 things standing between us and a merge to RELENG_6 is making sure that file= =20 formats are finalized, in order to prevent backward/forward incompatibiliti= es=20 being introduced. Without the code compiled into the kernel, the audit sys= tem=20 is completely disabled, although the command line tools to process audit lo= gs=20 from audit-enabled systems will be present and will operate. I agree that= =20 caution is required -- on the other hand, audit is a feature that can be=20 incrementally improved as time goes by as long as the basic framework (whic= h=20 has not changed significantly in several months) works properly. The main= =20 things remaining to be added are capturing of additional information, which= =20 will not change the basic file format. Even without the additional=20 information captured, audit is still very useful. All that said -- we'll see where things sit in a couple of weeks, and as=20 reports of more widespread use come in. Robert N M Watson --0-1008067053-1138840575=:87763--