Re: kernel event auditing for NetBSD?

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Tue, Nov 16, 2010 at 03:00:51PM +1030, Brett Lymn wrote:
> 
> Only if our implementation of DTrace does not merrily drop events.  In
> solaris the recommendation is to _never_ use DTrace for security
> related monitoring/enforcement because events get dropped when the
> buffer fills.

How is it arranged that the kernel auditing buffers never overflow?  Are
new reportable events (forks, etc.) simply denied?

Thor