firewall audit records
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Fri Nov 17 20:29:40 UTC 2006
Hi,
I chatted with Robert Watson about firewall audit records at
EuroBSDCon.
There were some basic questions coming up that I'd like to put up for
discussion:
- how to decide what rules one wants auditing enabled for?
for example adding an "audit" flag to a rule and generate records
for matches [implying the question who might do or change that].
- what to put into the audit record?
protocol / rule number / addresses / deny|permit|log / ...
this is especially interesting as different firewalls may
provide different data and different rules/protocols may have
different payload. What kind of payload - if at all - should
be in the audit record?
- how to reliably generate audit records?
usually one pre-allocates memory for the audit record and uses
flags like M_WAITOK. This might not be feasible for (high
bandwidth) network traffic passing the firewall.
/bz
--
Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
More information about the trustedbsd-audit
mailing list