Re: kernel event auditing for NetBSD?

To: Thor Lancelot Simon <tls%panix.com@localhost>
Subject: Re: kernel event auditing for NetBSD?
From: Brett Lymn <blymn%baea.com.au@localhost>
Date: Tue, 16 Nov 2010 15:17:04 +1030

On Mon, Nov 15, 2010 at 11:33:13PM -0500, Thor Lancelot Simon wrote:
> 
> How is it arranged that the kernel auditing buffers never overflow?  Are
> new reportable events (forks, etc.) simply denied?
> 

That is a very good question - I don't know.  There would have to be
some mechanism otherwise all an attacker would need to do is flood the
auditing buffer and then do their nasty stuff undetected.

-- 
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

References:
- kernel event auditing for NetBSD?
  - From: Jeremy C. Reed
- Re: kernel event auditing for NetBSD?
  - From: Antti Kantee
- Re: kernel event auditing for NetBSD?
  - From: Jeremy C. Reed
- Re: kernel event auditing for NetBSD?
  - From: Thor Lancelot Simon
- Re: kernel event auditing for NetBSD?
  - From: Brett Lymn
- Re: kernel event auditing for NetBSD?
  - From: Thor Lancelot Simon

Prev by Date: Re: kernel event auditing for NetBSD?
Next by Date: NetBSD Security Advisory 2010-012: OpenSSL TLS extension parsing race condition
Previous by Thread: Re: kernel event auditing for NetBSD?
Next by Thread: NetBSD Security Advisory 2010-012: OpenSSL TLS extension parsing race condition
Indexes:

Home | Main Index | Thread Index | Old Index