From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 13:02:48 -0400
Message-ID: <200803191302.48434.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from vpn-14-238.rdu.redhat.com (vpn-14-238.rdu.redhat.com
	[10.11.14.238])
	by mail.boston.redhat.com (8.13.1/8.13.1) with ESMTP id m2JH331r014997
	for <linux-audit@redhat.com>; Wed, 19 Mar 2008 13:03:04 -0400
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hi,

In working on the IDS piece of the audit system, there are 3 detections that I 
need to solve: watched files, watched execution, and making an executable. In 
this particular case, an admin may have watches and several things for 
archival purposes, but may want an alert if something changes in specific 
files. In order for the IDS system to be able to distinguish an open of a 
watched file from an open of a *special* watched file that an alert should be 
sent for, I'd like to propose a standard way of alerting the IDS that this 
record needs additional scrutiny.

The key field has been in all syscall records for at least 8 kernel releases, 
so I think it is well established that it could be used by this point. It is 
32 char's long. This is longer than what most people will ever need. What I'd 
like to do is to use this field for 2 purposes. One is to continue using it 
as is. The other could be to tell the IDS that this record needs review.

If a key field starts with "ids-" then we could parse it for a specific set of 
uses. We need to be able to distinguish: file, exec, and mkexe. Each of these 
would alert the IDS as to which alert category this fits under. Next, IDMEF 
has 4 severity ratings: info, low, medium, and high. These could be shortened 
to: inf, low, med, hi. This means you could tell the IDS that this is an 
execution attempt that means medium severity by this, "ids-exec-med".

To continue to be able to use the key field for searching, I would propose 
just adding a comma to separate the ids part from the searchable part. So, 
you could do something like this: "ids-file-med,shadow-password". auditctl 
can be fixed so that when it spots "ids-" in the key field, it will check 
that only valid types and severities are being used. This would not affect 
what auditd does in any way.

Thoughts? Comments?

-Steve