On Tue, Jun 13, 2006 at 08:13:05AM -0700, Gary Winiger wrote:
> > They don't duplicate the info in the syslog files though?
>
> Just to this point. Solaris Audit records a local binary
> file (possibly remote via NFS).
> In parallel it will write some subset of that file
> in a text format to syslog. The text format is not an interface
> just as no syslog message is an interface. If a human sees
> something of interest in the logs kept by syslog, they can go
> and investigate further. Solaris Audit has the ability to
> translate the local binary file to human readable still not an
> interface, or XML which is intended to be an interface for
> processing by other programs.
Now all we need is a way to remotely convery audit records securely
without losing interface-ness.
Which was, I thought, part of the discussion here.
Now let's pick our poison:
- SNMPv3 traps
- Old new SYSLOG (RFC3195)
- New new SYSLOG (draft-ietf-syslog-*)
- Old syslog with just enough structure grafted on top :-)
- ISMS
- Something else
- Append-only files over NFS? (But how do you append to files over
NFS? It can be done, but...)
- Some other something else? :-)
I don't really care which as long as at least: a) audit record structure
is preserved, and b) the transport to the relay/collector is secure. Or
at least such features are coming to whichever protocol we pick.
But preferably also c) there should be some way to provide detection of
missing records, and for signatures; there's literature on how to do
this.
Nico
--
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
