[prev in list] [next in list] [prev in thread] [next in thread]
List: trustedbsd-audit
Subject: firewall audit records
From: "Bjoern A. Zeeb" <bzeeb-lists () lists ! zabbadoz ! net>
Date: 2006-11-17 20:28:45
Message-ID: 20061117200831.S18512 () maildrop ! int ! zabbadoz ! net
[Download RAW message or body]
Hi,
I chatted with Robert Watson about firewall audit records at
EuroBSDCon.
There were some basic questions coming up that I'd like to put up for
discussion:
- how to decide what rules one wants auditing enabled for?
for example adding an "audit" flag to a rule and generate records
for matches [implying the question who might do or change that].
- what to put into the audit record?
protocol / rule number / addresses / deny|permit|log / ...
this is especially interesting as different firewalls may
provide different data and different rules/protocols may have
different payload. What kind of payload - if at all - should
be in the audit record?
- how to reliably generate audit records?
usually one pre-allocates memory for the audit record and uses
flags like M_WAITOK. This might not be feasible for (high
bandwidth) network traffic passing the firewall.
/bz
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
_______________________________________________
trustedbsd-audit@FreeBSD.org mailing list
http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit
To unsubscribe, send any mail to "trustedbsd-audit-unsubscribe@FreeBSD.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic