• This report covers not only the last week, since I’ve been working since april 22nd.
• Most audit records for administrative firewall events have been defined [1].
• Records for statefull connection auditing for network firewall events have been defined [1].
• Initial testing have been done for PFIL_ENABLE and PFIL_DISABLE events for both IPFW and PF.
• Added wrappers around audit_arg_xxx to specify which record is being used
• Moved preselection code to audit_begin()
• Added a new file (audit_pfil.c) to the build. This file contains subroutines for auditing packet filter events.
• Created a macro AUDIT_CALL to wrap audit functions call. This avoid a function call when audit_enabled isn’t set.
• Added preliminary audit support for IPFW rule and table changes (PFIL_ADDRULE/DELRULE, PFIL_TABLE).

[1] http://wiki.freebsd.org/AuditFirewallEvents

Planned for this week

• Define records for add and del table entries.
• Finish support for IPFW rule and table changes
• Add initial audit support for network firewall events.
• Testing and testing and more testing.

Open for discussion

• rwatson: add table entry and del trable entry events should be used instead of just update table event (planned)
• rwatson: add rule event should have the rule itself on the record (textual representation?) (needs to be better discussed)
• csjp: FLOW_END record should have a field for counting octets (done).