On Wednesday 06 February 2008 17:04:12 Steve Grubb wrote: > > Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but > > not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)? > > That one is still TBD. I needed the define in libaudit.h so I could use it > later. I have to patch a few user space utilities to send the event.
It occurred to me that I didn't fully answer this. The plugin right now is intended to be a usable proof of concept test. I only wanted to cover the "easy" ones. The other anomaly events would be covered in future versions of the plugin, but they generally require some work to get functioning. At this point, I'm interested in feedback and maybe some ideas about what kinds of alerts people might be interested in. One thing I ran into writing my plugins is that I think IDMEF is really more suited to NIDS rather than HIDS. I have been discussing this with the prelude developers and will write up my findings later. To really do a good job, I think the standard needs to change a little. For example, when you get an AVC, you need to see the syscall record in order to decide what the impact really is. Without the syscall record, you don't know if the system was in permissive mode at the time if the syscall. So you cannot conclude whether they succeeded or failed. The IDMEF standard has no way to say the result was indeterminate. So, it may take a while to get this plugin exactly the way I want since it may take some standards work to be able to express all the information that an audit system has available. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
