On Mon, 2008-08-25 at 17:09 -0400, Steve Grubb wrote: > On Monday 25 August 2008 16:47:38 LC Bruzenak wrote: > > > Yes, you'd add -k ids-file- and the one of: info, low, med, or high > > > depending on how severe you consider this access. > > > > ...and of course then that made me think if we can do this for the file > > watches, why not for user-submitted events also? > > The problem is that user space originating events do not have keys. So, there > is no way to setup audit policy from the audit configuration. You could try > adding them in the message being sent to the kernel. But this then means its > hardcoded and no one can change it to something lower if they don't like it.
Yes. > > > > Some of these I am already sending into the prelude system via patched > > audisp-prelude.c code, but I'd prefer to rip out this hack and instead just > > have a matching key identified. > > There is a lot of specialized information aside from the key that must go > into > an alert. Source and target of attack must be clearly identified, impact, > severity, category, etc. Not sure how to get that from a generic key. Any > ideas along this line? I think it would be quite difficult to figure out how to get that information into/out of a key... I only really care about the source (UID/GID/PID/processname) and the audit text and serial number (added as additional data), assuming the severity is high enough, to go into the prelude event. I guess the option still exists for users to just add their own customized prelude plugin; essentially emulating all the same things your code already does. But I didn't relish having to duplicate all the administration and the code. Along those lines, I was thinking that another option would be a separate pass-through event, meant only for the plugin(s). If the event was free-form from the audit perspective (maybe a structure with length + buffer), but its format was part of the audisp-plugins RPM, it would probably work. In the end, this is what I'm really doing - sending a pass-through to the established audit->prelude connection. I'm probably misusing the intent to my own ends... Thx, LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
