sending audit log to a remote system [PSARC/2009/208 FastTrack timeout 04/08/2009]

Darren J Moffat Darren.Moffat at sun.com
Wed Apr 1 01:42:07 PDT 2009 

Gary Winiger wrote:
> This project only provides the sending side of a complete Solaris remote
> audit trail solution.  The receiving side will to be covered by another,
> as yet, unscheduled project.  The project team believes this case is complete
> without the receiving side and has a customer request to provide the sending
> side.  (A prototype receiving side will be used for testing, but will
> not be delivered as part of this project.)

Normally I'd be very unhappy about having only a client side to a brand 
new protocol, particularly given that this is not one specified by any 
standards body.

However the prototype server does exist and I am aware that at least one 
other server side implementation will be written.

Not really an ARC issue but I'd like to see that the prototype server at 
least be put into a test suite that can be run.

> While Solaris GSS presently supports both Kerberos v5 and Diffie-Hellman GSS
> mechanisms as well as SPNEGO, RFC2478, (PSARC/2003/008 SPNEGO GSS Mechanism)
> mechanism negotiation, the project team believe the Kerberos mechanism is
> presently the only practical one for general deployment.
> 
> A "solaris_audit" service port has been requested from IANA, but not yet
> granted.

Given that the plugin config syntax allows for any port I'm happy that 
this project can integrate without depending on the IANA assignment.  It 
just means there will be no entry in services(4) for solaris_audit and 
the plugin must be configured with a port number.  If that is the case 
then the man page should document that fact.

> Is audit_remote(5) sufficiently descriptive to construct a receiving service?

The only assumption I'm making (and sorry I didn't notice this before in 
the pre-review) is that each message preceded by a TLV is exactly one 
complete binary audit record and that we never attempt to send partial 
records.  While that is pretty much implicit in the fact that this is 
and auditd plugin (and thus never sees partial records), it might be 
worth making it explicit.

Other than that I think I could write a server for this given the 
description in audit_remote(5).

Overall I'm happy with the case architecture and the above are really nits.

--
Darren J Moffat

More information about the opensolaris-arc mailing list