From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: user audits Date: Fri, 03 Dec 2010 10:12:25 -0600 Message-ID: <1291392745.2184.38.camel@lcb> References: <1291390837.2184.24.camel@lcb> <201012031054.35569.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <201012031054.35569.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 2010-12-03 at 10:54 -0500, Steve Grubb wrote: > On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote: > > Would there be any issue with adding a couple new trusted_application > > event types? Would any kernel mods be needed to support this? > > Are these events originating in user space or the kernel? I might be convinced to set > aside the block of IDs from 2600 - 2699 for local use if a suitable framework were > written. This would mean that there is some config file that holds the local mapping of > event IDs to text and ausearch/report/parse will need to be patched to understand > local definitions. Great! >>From user space only. Analogous to signal handling of SIGUSR1, SIGUSR2 where the framework supports the user-implemented pieces. I was thinking ausearch/auparse would treat all the TRUSTED_APPs the same...since they (currently) fails to parse these correctly anyway IMHO. :) Everything else could treat the additional user types exactly as they do the TRUSTED_APP event now. When I dig through the events on the back end I would be able to act differently on the ones I know I've put in place on the originating end. > > Would you be interested in this approach? Absolutely! I will be starting work on some stuff which could utilize this after the holidays. If it gets into RHEL6 I would be thrilled! Thx, LCB -- LC (Lenny) Bruzenak lenny@magitekltd.com