Date: Sat, 05 Jan 2002 13:38:06 -0800 From: Jordan Hubbard <jkh@winston.freebsd.org> To: Brett Glass <brett@lariat.org> Cc: Archie Cobbs <archie@dellroad.org>, stable@FreeBSD.ORG, re@FreeBSD.ORG Subject: Re: Could someone commit the change suggested in PR bin/32420? Message-ID: <25228.1010266686@winston.freebsd.org> In-Reply-To: Message from Brett Glass <brett@lariat.org> of "Sat, 05 Jan 2002 01:00:33 MST." <4.3.2.7.2.20020105005950.00db4f00@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Of course, collecting log data for analysis from syslog is pretty low-tech when it comes to detecting and/or stopping attacks in real-time and I'd hope this wouldn't be encouraged as a general practice. If that's your aim then you should be campaigning for a /dev/audit device and the instrumenting of suitable logpoints in the kernel and various utilities. Then your stuff just opens /dev/audit, registers an event selection mask with it, and goes to sleep waiting for events. - Jordan > At 12:37 AM 1/5/2002, Archie Cobbs wrote: > > >Interesting, I was just thinking of the same thing today. > > In that case, you'll probably like the paper I'm presenting > at BSDCon. > > >I just commited a fix to -current.. if the re approves I can MFC it too. > > Wonderful! Thank you.... > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25228.1010266686>