[Ukfreebsd] Julys LOSUG meeting, on a FreeBSD tip
Robert N. M. Watson
robert at fledge.watson.org
Tue Jul 6 23:31:40 BST 2010
On 6 Jul 2010, at 22:54, Luke Marsden wrote:
> This is great news. My abstract got mangled slightly - we used Dtrace on
> Solaris just for filesystem event notification. 'praudit /dev/auditpipe'
> does the same job nicely for us on FreeBSD.
Have you had any problems with interactions with other auditing going on on the system at the same time (or resulting inefficiency)? Our auditpipe(4) facility allows subscribing to classes of events independently from the global trail, but currently that's not easily accessible from the command line. One idea I've pondered is teaching auditreduce, when run on an audit pipe, to program the filters on the command line into the audit pipe it's accessing via ioctl, which would help eliminate undesired records from being exposed to audit pipe consumers, as well as allowing them to avoid modifying the system audit configuration.
(Details on what sorts of filters can be programmed are documented in auditpipe(4))
More information about the Ukfreebsd