[prev in list] [next in list] [prev in thread] [next in thread] 

List:       trustedbsd-audit
Subject:    firewall audit records
From:       "Bjoern A. Zeeb" <bzeeb-lists () lists ! zabbadoz ! net>
Date:       2006-11-17 20:28:45
Message-ID: 20061117200831.S18512 () maildrop ! int ! zabbadoz ! net
[Download RAW message or body]

Hi,

I chatted with Robert Watson about firewall audit records at
EuroBSDCon.

There were some basic questions coming up that I'd like to put up for
discussion:

- how to decide what rules one wants auditing enabled for?
   for example adding an "audit" flag to a rule and generate records
   for matches [implying the question who might do or change that].

- what to put into the audit record?
   protocol / rule number / addresses / deny|permit|log / ...
   this is especially interesting as different firewalls may
   provide different data and different rules/protocols may have
   different payload. What kind of payload - if at all - should
   be in the audit record?

- how to reliably generate audit records?
   usually one pre-allocates memory for the audit record and uses
   flags like M_WAITOK. This might not be feasible for (high
   bandwidth) network traffic passing the firewall.


/bz

-- 
Bjoern A. Zeeb				bzeeb at Zabbadoz dot NeT
_______________________________________________
trustedbsd-audit@FreeBSD.org mailing list
http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit
To unsubscribe, send any mail to "trustedbsd-audit-unsubscribe@FreeBSD.org"
[prev in list] [next in list] [prev in thread] [next in thread]