Accomplished last week
- This report covers not only the last week, since I’ve been working since april 22nd.
- Most audit records for administrative firewall events have been defined [1].
- Records for statefull connection auditing for network firewall events have been defined [1].
- Initial testing have been done for PFIL_ENABLE and PFIL_DISABLE events for both IPFW and PF.
- Added wrappers around audit_arg_xxx to specify which record is being used
- Moved preselection code to audit_begin()
- Added a new file (audit_pfil.c) to the build. This file contains subroutines for auditing packet filter events.
- Created a macro AUDIT_CALL to wrap audit functions call. This avoid a function call when audit_enabled isn’t set.
- Added preliminary audit support for IPFW rule and table changes (PFIL_ADDRULE/DELRULE, PFIL_TABLE).
[1] http://wiki.freebsd.org/AuditFirewallEvents
Planned for this week
- Define records for add and del table entries.
- Finish support for IPFW rule and table changes
- Add initial audit support for network firewall events.
- Testing and testing and more testing.
Open for discussion
- rwatson: add table entry and del trable entry events should be used instead of just update table event (planned)
- rwatson: add rule event should have the rule itself on the record (textual representation?) (needs to be better discussed)
- csjp: FLOW_END record should have a field for counting octets (done).
This is my first post. If you would like to know more about me and this blog, please go to the about page.
