HEADS UP: Audit integration into CVS in progress, some tree disruption

Robert Watson rwatson at FreeBSD.org
Thu Feb 2 00:36:15 GMT 2006 

On Wed, 1 Feb 2006, Mike Jakubik wrote:

> Robert Watson wrote:
>> 
>> On Wed, 1 Feb 2006, Kövesdán Gábor wrote:
>> 
>>> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcoming 
>>> 6.1? Or only for 6.2 or later?
>> 
>> It depends a bit how well this shakes out.  The code is definitely still 
>> "experimental", in that the set of events audited is not yet complete. 
>> There are three general sorts of weaknesses in the set of events currently 
>> audited:
>> With all this in mind, it is not yet ruled out that we could ship initial 
>> "experimental" audit support in 6.1-RELEASE.  In fact, the timing is 
>> currently such that it will be possible, assuming all goes well, and 
>> allowing for the fact that it really will be an experimental feature and 
>> not production feature in 6.1.  We were quite careful to merge the 
>> necessary ABI changes to RELENG_6 before the 6.0 release so that merging it 
>> would be possible without breaking existing 6.x device drivers.
>
> Personally, i would like to see less "experimental" code in 6.1. Perhaps it 
> would be better to wait until everyone feels the code is ready?

Audit is a feature optionally compiled into the kernel -- the goal of 
providing it via RELENG_6, if we decide to go that way, would be to allow 
early adopters to compile in the option if they needed to use it.  The main 
things standing between us and a merge to RELENG_6 is making sure that file 
formats are finalized, in order to prevent backward/forward incompatibilities 
being introduced.  Without the code compiled into the kernel, the audit system 
is completely disabled, although the command line tools to process audit logs 
from audit-enabled systems will be present and will operate.  I agree that 
caution is required -- on the other hand, audit is a feature that can be 
incrementally improved as time goes by as long as the basic framework (which 
has not changed significantly in several months) works properly.  The main 
things remaining to be added are capturing of additional information, which 
will not change the basic file format.  Even without the additional 
information captured, audit is still very useful.

All that said -- we'll see where things sit in a couple of weeks, and as 
reports of more widespread use come in.

Robert N M Watson

More information about the trustedbsd-audit mailing list