From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditd and Watches Date: Thu, 24 May 2007 11:51:22 -0400 Message-ID: <200705241151.22214.sgrubb@redhat.com> References: <200705241010.08629.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Simmons Jr,Felix" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 24 May 2007 11:32, Simmons Jr,Felix wrote: > >> AUDIT_WATCH_LIST: dev=3D104:2, path=3D/var/tmp/important_test, > >> filterkey=3Dtest-file, perms=3Dwa, valid=3D0 > > > >This seems slightly odd output. What kernel and audit package are you >> using? > > audit-1.0.14-1.EL4 (I know it's a little old but its what we already > rolled out in our distro from redhat). > As far as kernel - 2.6.9-42.0.10.Elsmp =A0(I'm on 64-bit architecture). OK, I guess its been a while since I saw what came out of the RHEL4 rule=20 listing. > >Yes, I am working on a IDS/IPS system, too. But it doesn't use the > > logs, rather it uses the realtime interface so it can react in realtime= . > I made a > > >presentation about it at the Red Hat Summit a couple weeks ago and put > > my presentation here: > > Thanks again, I'll give your recommendation a try. Regarding RHEL4, the audit-1.0.15 package has the realtime interface. It = does=20 not have an event dispatcher yet, but it will use the one we settle on fo= r=20 RHEL5.1. In the meantime, there is a program, skeleton.c in the audit pac= kage=20 that you can use to write your own event collector. Also, the rules I gave you to exclude audit events do not work on the RHE= L4=20 kernel. So, writing a program to process only interesting events would be= =20 your best option on RHEL4 and then disregard the logs altogether. > So I take it by reacting realtime as the event is processed by auditd a= nd > the event dispatcher it eliminates the potential for an event to be mis= sed > due to buffering or some other reason for the event not making it to th= e > audit.log quick enough.=20 I suppose, but there is very little memory allocating done in the audit=20 daemon. What I consider the most important feature of the realtime interf= ace=20 is that it allows you to write a program to get the events as they occur = and=20 do something with them. You do not have to write a cron job which would b= e=20 slow to react or do something like tail which doesn't work when the logs = get=20 rotated. > Interesting, that then almost makes it so the audit.log can be rotated = out a > lot quicker and the true important events stored in the ids system. Sure. You can also tell the audit daemon not to log anything to disk if y= ou=20 really trust the realtime path, too. -Steve