Re: Reactive rules (from juro.fit@gmail.com)

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday 19 August 2009 03:12:05 am Miloslav Trmac wrote:
> I suggest that a change should be done in the kernel. The events
> are filtered in it so that there is no need parsing the messages
> sent to the auditd and this solution wouldn't cause any increase
> in the load of the system caused by auditing.

I suppose you could hook into the exclude filter and check events there.

> First of all, the syntax of the rules should be changed a bit to
> include reactive rules. It could look like this:
>
> rule1
> rule2 {
> rule2_1
> rule2_2
> }
> rule3
>
> When an event that rule2 watches for occurs, rule2_1 and rule2_2
> will be added/removed to/from the rule set.

You could also do matching based on a new field rather than change the syntax 
of the rules. It could work like key field except its a number. The high bit 
could determine if its add/delete.


> The change in the syntax means a change in auditctl.c. Also,
> struct audit_rule_data needs to be altered to include some flag
> that makes it possible to recognize between the types of rules
> when passed to the kernel.

The less changed in the kABI the better. It needs to stay backward/forward 
compatible in different combinations of kernel and user space.

-Steve