On Wed, 19 Mar 2008 14:54:16 EDT, Steve Grubb said: >> 2) An audit rule wasn't set at all.
> Again nothing to worry about since they haven't set the system up yet. No - it's one of the failure modes you said you were worried about: > The problem is that you can tell the IDS that you want any reads > of /opt/my-secrets, but unless you have a matching audit rule you will not > get any records. This allows you to make sure you have a watch paired with > its meaning. Exactly - if you're missing the rule, you don't get records. Determining whether it's a problem because a rule is missing, or not a problem because "it's not set up yet", isn't anything the kernel should be involved in - other than to maybe notify us "Hey dood, you have exactly zero rules set, you might want to check what happened". > I have also been wondering about detecting shadowed rules and warning when > auditctl finishes a file. I wasn't even thinking about that - I was thinking of the ones that are like the old SNL skit - a dessert topping *and* a floor wax. Say, one rule triggered on an event because it's an unsuccessful open, and another rule would have triggered because it was a reference to a watched file....
pgpyoDqI9hAsP.pgp
Description: PGP signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
