From: LC Bruzenak <lenny@magitekltd.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: prelude events
Date: Mon, 25 Aug 2008 18:41:30 -0500 [thread overview]
Message-ID: <1219707690.7022.907.camel@homeserver> (raw)
In-Reply-To: <200808251709.55257.sgrubb@redhat.com>
On Mon, 2008-08-25 at 17:09 -0400, Steve Grubb wrote:
> On Monday 25 August 2008 16:47:38 LC Bruzenak wrote:
> > > Yes, you'd add -k ids-file- and the one of: info, low, med, or high
> > > depending on how severe you consider this access.
> >
> > ...and of course then that made me think if we can do this for the file
> > watches, why not for user-submitted events also?
>
> The problem is that user space originating events do not have keys. So, there
> is no way to setup audit policy from the audit configuration. You could try
> adding them in the message being sent to the kernel. But this then means its
> hardcoded and no one can change it to something lower if they don't like it.
Yes.
>
>
> > Some of these I am already sending into the prelude system via patched
> > audisp-prelude.c code, but I'd prefer to rip out this hack and instead just
> > have a matching key identified.
>
> There is a lot of specialized information aside from the key that must go into
> an alert. Source and target of attack must be clearly identified, impact,
> severity, category, etc. Not sure how to get that from a generic key. Any
> ideas along this line?
I think it would be quite difficult to figure out how to get that
information into/out of a key...
I only really care about the source (UID/GID/PID/processname) and the
audit text and serial number (added as additional data), assuming the
severity is high enough, to go into the prelude event.
I guess the option still exists for users to just add their own
customized prelude plugin; essentially emulating all the same things
your code already does. But I didn't relish having to duplicate all the
administration and the code.
Along those lines, I was thinking that another option would be a
separate pass-through event, meant only for the plugin(s). If the event
was free-form from the audit perspective (maybe a structure with length
+ buffer), but its format was part of the audisp-plugins RPM, it would
probably work.
In the end, this is what I'm really doing - sending a pass-through to
the established audit->prelude connection. I'm probably misusing the
intent to my own ends...
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
prev parent reply other threads:[~2008-08-25 23:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-25 20:20 prelude events LC Bruzenak
2008-08-25 20:24 ` LC Bruzenak
2008-08-25 20:41 ` Steve Grubb
2008-08-25 20:47 ` LC Bruzenak
2008-08-25 21:03 ` LC Bruzenak
2008-08-25 21:09 ` Steve Grubb
2008-08-25 23:41 ` LC Bruzenak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1219707690.7022.907.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox