On Wednesday 19 March 2008 14:18:12 [EMAIL PROTECTED] wrote: > However, *no* amount of special tagging will allow the IDS to disambiguate > these two cases: > > 1) An audit rule was set, but no events generated because no activity > matched.
In which case you have nothing to worry about. :) > 2) An audit rule wasn't set at all. Again nothing to worry about since they haven't set the system up yet. > "unless you have a matching audit rule you will not get any records" means > exactly that - so tagging the records you don't receive isn't useful. But if you don't receive any records, nothing happened. :) > There *is* the more general case of "I had a generic rule and a special > watch and *both* fired" - but that problem is in no way IDS specific, Right, this *is* something to worry about. I was thinking that we could solve this by having an option that tells the kernel to evaluate all rules and not just first match. I have also been wondering about detecting shadowed rules and warning when auditctl finishes a file. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
