4 messages in org.freebsd.trustedbsd-discusslinux port of /dev/audit| From | Sent On | Attachments |
|---|---|---|
| Beat Christen | May 22, 2000 12:45 pm | |
| Dominik Kubla | May 22, 2000 2:06 pm | |
| Andrew Reiter | May 22, 2000 2:25 pm | |
| Robert Watson | May 22, 2000 5:26 pm |
| Subject: | linux port of /dev/audit | |
|---|---|---|
| From: | Robert Watson (rwat...@FreeBSD.org) | |
| Date: | May 22, 2000 5:26:41 pm | |
| List: | org.freebsd.trustedbsd-discuss | |
On Mon, 22 May 2000, Beat Christen wrote:
I will be working on a /dev/audit port for the linux kernel as part of my masters thesis. To reduce double work, I'll try to stay compatible with the TrustedBSD /dev/audit binary format. Is there already a document on what this will look like, besides the source?
The initial two auditing prototypes generates as a result of the POSIX.1e implementation effort were both left incomplete, although with a fair amount of concensus as to how to implement the final version. The general conclusion was that, for performance reasons, /dev/audit should be implemented in an OS-optimized manner, but that audit logs would be exposed to log-{monitoring/reducing} applications via portable audit application interface, presumably based on POSIX.1e.
At this point, before moving onto reimplementing auditing support, we're looking at restructuring the authorization interface for the kernel. We've been passing around a draft for that internally, and I hope to get one out on the list. One issue that has arisen is whether or not we should be providing a generalized/extensible authorization abstraction with well-defined semantics (i.e., as VFS is for file systems), or just improving the modularity of the kernel. However, this is probably best discussed in the context of a straw-man, so I'll try to get that out the door once the last few reviewers have get comments in to me.
The optimal log-gathering format from the perspective of /dev/audit will depend on how the kernel gathers and manages security events in kernel, so I wouldn't advise predisposing yourself towards binary compatibility at that level. That said, if there was compatibility, it probably wouldn't hurt as the FreeBSD Linux emulator could then allow linux audit applications to run in binary-form. :-) Once I get the authorization document out the door (hopefully in the next two days before I get tied up at the DARPA PI meeting I'll be attending), I'll assemble my notes on the audit implementations we did.
Robert N M Watson
rob...@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services
To Unsubscribe: send mail to majo...@trustedbsd.org with "unsubscribe trustedbsd-discuss" in the body of the message