On Wed, Mar 31, 2010 at 12:23 AM, Al Viro <[email protected]> wrote: > On Wed, Mar 31, 2010 at 12:17:11AM +0200, Juraj Hlista wrote: >> From: Juraj Hlista <[email protected]> >> >> Add support for reactive rules. An audit rule can contain more than one >> reaction. The reactions are identified by numbers in the kernel and by >> strings in the user space. > > Huh? We already have a way to associate a unique key with a rule; what does > that patch offer that can't be happily handled by userland with what we > already have? > If the key was used to associate reactions with a rule, it could be done, for example, by adding "react-" prefix to the key (-F key=react-r1). In order to detect if there was a match found with a reactive rule, every single audit event would have to be checked whether it includes the key with "react-" prefix, which is not effective.
There is no need parsing audit events and check if they have such a key. When there was found a match with a reactive rule, the patch adds a new record at the beginning of an audit event, for example: type=REACT_RULE msg=audit(1270026004.497:4): react=1 type=SYSCALL msg=audit(1270026004.497:4): arch=c000003e syscall=2 success=yes exit=3 a0=7fff8022f767 a1=941 a2=1b6 a3=7fff8022e040 items=2 ppid=2777 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="touch" exe="/bin/touch" key=(null) type=CWD msg=audit(1270026004.497:4): cwd="/root" type=PATH msg=audit(1270026004.497:4): item=0 name="/tmp/" inode=8112 dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1270026004.497:4): item=1 name="/tmp/file" inode=9400 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 The user space only checks the type of the record instead of parsing it and looking for the keys. The REACT_RULE record has only a list of reactions - mapping reaction numbers to strings is described in: https://www.redhat.com/archives/linux-audit/2010-March/msg00040.html -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
