From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: prelude events Date: Mon, 25 Aug 2008 16:03:32 -0500 Message-ID: <1219698212.7022.821.camel@homeserver> References: <1219695605.7022.807.camel@homeserver> <1219695875.7022.811.camel@homeserver> <200808251641.47803.sgrubb@redhat.com> <1219697258.7022.815.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1219697258.7022.815.camel@homeserver> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, 2008-08-25 at 15:47 -0500, LC Bruzenak wrote: > On Mon, 2008-08-25 at 16:41 -0400, Steve Grubb wrote: > > On Monday 25 August 2008 16:24:35 LC Bruzenak wrote: > > > I think I just saw the answer in the audisp-prelude man page: > > > ... > > > -w /etc/shadow -p wa > > > > > > and you want idmef alerts on this, you need to add -k > > > ids-file-med or something appropriate to signal to the plugin > > > that this message is for it. > > > > Yes, you'd add -k ids-file- and the one of: info, low, med, or high > > depending on how severe you consider this access. > > > > -Steve > > ...and of course then that made me think if we can do this for the file > watches, why not for user-submitted events also? Some of these I am > already sending into the prelude system via patched audisp-prelude.c > code, but I'd prefer to rip out this hack and instead just have a > matching key identified. I don't know why I cannot think until after I hit the "send" button... :) The problem there is that I still want to build the prelude event with some added name=value information I stuck in to the audit event text, which I'd like to see in the prewikka viewer. LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com