From: "Juraj Hlista" <juro....@gmail.com>
I'm working on implementation of reactive rules into the audit.
I've come up with a new type of rule (AUDIT_ALWAYS_REACT)
which is almost the same as AUDIT_ALWAYS. The only difference is that
the kernel generates one more message of type REACT_RULE when this
rule is used. For instance, let's suppose that the reactive rule was added
into the rule set with auditctl:
auditctl -a exit,react -F path=/tmp/file -F perm=r
then "cat /tmp/file" generates the following audit message:
type=REACT_RULE msg=audit(1259164875.572:4):
type=SYSCALL msg=audit(1259164875.572:4): arch=c000003e syscall=2 success=yes
exit=3 a0=7fffdf4389cb a1=0 a2=2 a3=0 items=1 ppid=1148 pid=1165
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0fsgid=0 tty=pts1
ses=4294967295 comm="cat" exe="/bin/cat" key=(null)
type=CWD msg=audit(1259164875.572:4): cwd="/root"
type=PATH msg=audit(1259164875.572:4): item=0 name="/tmp/file" inode=27872
dev=03:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
Also, I'm working on a plugin which watches for the messages of
type REACT_RULE and makes decisions accordingly. This plugin
has a configuration file which could look like this:
variable = 0;
"action1" {
exec "program1"
add/delete rule
if (variable == 0) {
exec "program2"
}
}
The problem is that the plugin needs to recognize what reactive rules
have been reacted to. The kernel just generates messages without
any identifier.
In order to solve it, auditctl has to add an identifier to the reactive
rule somehow, for example, using -k parameter:
auditctl -a exit,react -k "action1" -F path=/tmp/file -F perm=r
Another solution would be creating a new parameter, for example, -k_react.
Any suggestions?
----------
--- Begin Message ---
Ahoj,
prosim o preposlanie prispevku do mailing listu, do ktoreho sa mi este
nepodarilo prihlasit. Dakujem
Juraj
----------
I'm working on implementation of reactive rules into the audit.
I've come up with a new type of rule (AUDIT_ALWAYS_REACT)
which is almost the same as AUDIT_ALWAYS. The only difference is that
the kernel generates one more message of type REACT_RULE when this
rule is used. For instance, let's suppose that the reactive rule was added
into the rule set with auditctl:
auditctl -a exit,react -F path=/tmp/file -F perm=r
then "cat /tmp/file" generates the following audit message:
type=REACT_RULE msg=audit(1259164875.572:4):
type=SYSCALL msg=audit(1259164875.572:4): arch=c000003e syscall=2
success=yes exit=3 a0=7fffdf4389cb a1=0 a2=2 a3=0 items=1 ppid=1148 pid=1165
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0fsgid=0
tty=pts1 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)
type=CWD msg=audit(1259164875.572:4): cwd="/root"
type=PATH msg=audit(1259164875.572:4): item=0 name="/tmp/file" inode=27872
dev=03:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
Also, I'm working on a plugin which watches for the messages of
type REACT_RULE and makes decisions accordingly. This plugin
has a configuration file which could look like this:
variable = 0;
"action1" {
exec "program1"
add/delete rule
if (variable == 0) {
exec "program2"
}
}
The problem is that the plugin needs to recognize what reactive rules
have been reacted to. The kernel just generates messages without
any identifier.
In order to solve it, auditctl has to add an identifier to the reactive
rule somehow, for example, using -k parameter:
auditctl -a exit,react -k "action1" -F path=/tmp/file -F perm=r
Another solution would be creating a new parameter, for example, -k_react.
Any suggestions?
----------
--- End Message ---
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
