[squid-dev] Securtiy_file_gen in a server format development

Alex Rousskov rousskov at measurement-factory.com
Wed Jan 16 22:04:39 UTC 2019


On 1/16/19 2:22 PM, eliezer at ngtech.co.il wrote:

> The use case of logging certificate generation [...] is security "auditing".

I doubt proper security auditing should rely on the log of _second-level
cache_ operations. If you do want to add logging, can you detail your
specific needs a little? Perhaps give a couple of specific usage
examples that are poorly addressed by current access.log information
_and_ should not be addressed by adding more access.log fields.


Thank you,

Alex.


> -----Original Message-----
> From: squid-dev <squid-dev-bounces at lists.squid-cache.org> On Behalf Of Alex Rousskov
> Sent: Sunday, December 30, 2018 19:08
> To: squid-dev at lists.squid-cache.org
> Subject: Re: [squid-dev] Securtiy_file_gen in a server format development
> 
> On 12/29/18 11:45 PM, Eliezer Croitoru wrote:
> 
>> From what I understood until now it seems that the current ssl_db
>> directory structure is simple enough that it might be possible to share
>> it across a NFS store.
> 
> I would expect NFS store to work in environments that support file
> locking over NFS. For example, NFS flock(2) does not work with Linux
> kernels up to v2.6.11. For the list of environment-specific file locking
> system calls used by the certificate generator, see Ssl::Lock::lock().
> 
> 
>> Since squid is being used in couple locations as a security software it
>> would be good for security admins to be able to have some history logs.
> 
> The generated certificate database is just an optimization/cache.
> Logging certificate cache operations would probably be as useful/useless
> as store.log is for the HTTP cache. It would be good to discuss and
> target some specific use cases before designing where and how to log
> certificate operations.
> 
> Alex.
> 
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
> 
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
> 



More information about the squid-dev mailing list