From: Eric Paris <eparis@redhat.com>
To: Linda Knippers <linda.knippers@hp.com>
Cc: Valdis.Kletnieks@vt.edu, Linux Audit <linux-audit@redhat.com>
Subject: Re: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 17:41:07 -0400 [thread overview]
Message-ID: <1205962867.6333.13.camel@localhost.localdomain> (raw)
In-Reply-To: <47E18645.5060005@hp.com>
On Wed, 2008-03-19 at 17:31 -0400, Linda Knippers wrote:
> Steve Grubb wrote:
> > By using the key field, its in plain sight and done with purpose. Not enough
> > events to trap something important, widen it in audit.rules and you also know
> > that this will send more to disk. No suprises there.
>
> I'm actually in favor of using the key, just in using it like its used
> today. All the capp watches have unique keys, and an admin could create
> more/different rules with different keys. I think that the IDS
> should have different configuration information to tell it what to look
> for and what to do with it, rather than embedding it into a short field
> in the audit record. What if other plug-ins also want to use that
> field?
So maybe all we need is for the ids config file needs to be of the form
key type priority
so I can set up my audit rule however I want say
-a always,exit -F perms=wa -F auid>=500 -F exit=-EPERM -F dir=/etc -k 500EPERM
-a always,exit -F perms=wa -F subj_role=webadmin_r -F exit=-EPERM -k webadminEPERM
And my ids config file would look like:
500EPERM file med
webadminEPERM exec high
And on startup the ids can easily look to see if 500EPERM and
webadminEPERM are actually keys to real rules just for sanity sake. Is
the reverse mapping from key to ids action really so expensive that this
is unreasonable?
I tend to also agree with the part of the discussion which says that it
isn't audit's place to decide that some rules are meant for disk and
some rules aren't. Unless we add some new explicit rule syntax for just
that case.....
-Eric
next prev parent reply other threads:[~2008-03-19 21:41 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-19 17:02 [RFC] programmatic IDS routing Steve Grubb
2008-03-19 17:12 ` Linda Knippers
2008-03-19 17:40 ` Steve Grubb
2008-03-19 17:55 ` Steve Grubb
2008-03-19 18:18 ` Valdis.Kletnieks
2008-03-19 18:54 ` Steve Grubb
2008-03-19 20:09 ` Valdis.Kletnieks
2008-03-19 18:05 ` Valdis.Kletnieks
2008-03-19 18:40 ` Steve Grubb
2008-03-19 19:04 ` Linda Knippers
2008-03-19 19:28 ` Steve Grubb
2008-03-19 19:48 ` Eric Paris
2008-03-19 20:48 ` Steve Grubb
2008-03-19 19:55 ` Linda Knippers
2008-03-19 21:01 ` Steve Grubb
2008-03-19 21:31 ` Linda Knippers
2008-03-19 21:41 ` Eric Paris [this message]
2008-03-19 22:42 ` Steve Grubb
2008-03-19 23:00 ` Linda Knippers
2008-03-19 23:44 ` Steve Grubb
2008-03-20 13:32 ` Linda Knippers
2008-03-20 13:53 ` Steve Grubb
2008-03-21 10:28 ` Klaus Heinrich Kiwi
2008-03-21 12:50 ` Steve Grubb
2008-03-21 14:14 ` LC Bruzenak
2008-03-21 15:01 ` Steve Grubb
2008-03-21 16:32 ` LC Bruzenak
2008-03-24 13:13 ` Klaus Heinrich Kiwi
2008-03-20 12:19 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1205962867.6333.13.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linda.knippers@hp.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox