Date: Thu, 08 Apr 1999 11:08:52 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: POSIX.1E auditing support, an initial pass and some questions Message-ID: <386.923562532@critter.freebsd.dk> In-Reply-To: Your message of "Mon, 05 Apr 1999 13:56:41 EDT." <Pine.BSF.3.96.990331224610.4650D-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Robert, It sounds to me like you will be overlapping with KTRACE to a great extent, have you considered unification of the two ? Certainly your stuff can do anything that KTRACE can, so if anything we should be able to get rid of KTRACE if we adopt your stuff. There is also some overlap with process-accounting come to think of it. There is no easy way to get all args to all syscalls, they're too unsystematic for that. Have you considered to do (some of) the filtering in the kernel in a manner like bpf ? This would reduce the performance impact. I would also love to have a remote audit ability where the audit records are never passed into userland on the audited machine, but instead shipped over a network (or other interface) to a monitor box. Keep at it! -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." FreeBSD -- It will take a long time before progress goes too far! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?386.923562532>