From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 17:41:07 -0400
Message-ID: <1205962867.6333.13.camel@localhost.localdomain>
References: <200803191302.48434.sgrubb@redhat.com>
	<200803191528.55805.sgrubb@redhat.com> <47E16FAB.4010601@hp.com>
	<200803191701.35669.sgrubb@redhat.com>  <47E18645.5060005@hp.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <47E18645.5060005@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: Valdis.Kletnieks@vt.edu, Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wed, 2008-03-19 at 17:31 -0400, Linda Knippers wrote:
> Steve Grubb wrote:

> > By using the key field, its in plain sight and done with purpose. Not enough 
> > events to trap something important, widen it in audit.rules and you also know 
> > that this will send more to disk. No suprises there.
> 
> I'm actually in favor of using the key, just in using it like its used
> today.  All the capp watches have unique keys, and an admin could create
> more/different rules with different keys.  I think that the IDS
> should have different configuration information to tell it what to look
> for and what to do with it, rather than embedding it into a short field
> in the audit record.  What if other plug-ins also want to use that
> field?

So maybe all we need is for the ids config file needs to be of the form

key type priority

so I can set up my audit rule however I want say

-a always,exit -F perms=wa -F auid>=500 -F exit=-EPERM -F dir=/etc -k 500EPERM
-a always,exit -F perms=wa -F subj_role=webadmin_r -F exit=-EPERM -k webadminEPERM

And my ids config file would look like:

500EPERM	file	med
webadminEPERM	exec	high

And on startup the ids can easily look to see if 500EPERM and
webadminEPERM are actually keys to real rules just for sanity sake.  Is
the reverse mapping from key to ids action really so expensive that this
is unreasonable?

I tend to also agree with the part of the discussion which says that it
isn't audit's place to decide that some rules are meant for disk and
some rules aren't.  Unless we add some new explicit rule syntax for just
that case.....

-Eric