On Mon, 2008-08-25 at 15:47 -0500, LC Bruzenak wrote: > On Mon, 2008-08-25 at 16:41 -0400, Steve Grubb wrote: > > On Monday 25 August 2008 16:24:35 LC Bruzenak wrote: > > > I think I just saw the answer in the audisp-prelude man page: > > > ... > > > -w /etc/shadow -p wa > > > > > > and you want idmef alerts on this, you need to add -k > > > ids-file-med or something appropriate to signal to the plugin > > > that this message is for it. > > > > Yes, you'd add -k ids-file- and the one of: info, low, med, or high > > depending on how severe you consider this access. > > > > -Steve > > ...and of course then that made me think if we can do this for the file > watches, why not for user-submitted events also? Some of these I am > already sending into the prelude system via patched audisp-prelude.c > code, but I'd prefer to rip out this hack and instead just have a > matching key identified.
I don't know why I cannot think until after I hit the "send" button... :) The problem there is that I still want to build the prelude event with some added name=value information I stuck in to the audit event text, which I'd like to see in the prewikka viewer. LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
