From owner-freebsd-security Sat Sep 18 8:38:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id 18D3A14FEA for ; Sat, 18 Sep 1999 08:38:15 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id JAA23480; Sat, 18 Sep 1999 09:37:28 -0600 (MDT) Message-Id: <4.2.0.58.19990918093413.047ff570@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Sat, 18 Sep 1999 09:37:13 -0600 To: "Jordan K. Hubbard" , "Rodney W. Grimes" From: Brett Glass Subject: Re: BPF on in 3.3-RC GENERIC kernel Cc: imp@village.org (Warner Losh), wes@softweyr.com (Wes Peters), security@FreeBSD.ORG In-Reply-To: <2091.937636119@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org DEC's /dev/audit was the way they got Orange Book Class C certification, IIRC. As I understand it, though, it produced so many logs that you needed a separate gigabyte volume to hold them all on an active system! It would be worthwhile to look into a version of this, and also Sun's stuff (which was also used to get Class C). If FreeBSD could get Class C certification, it would open up an amazing number of doors. --Brett At 11:28 PM 9/17/99 -0700, Jordan K. Hubbard wrote: >I'm surprised nobody has brought up /dev/audit and the whole Digital >Unix approach to security (OS-level event monitoring and active >counter-measures). It's not like there aren't a number of existing >examples to choose from when debating a "better course" of action. > >- Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message