From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [RFC] programmatic IDS routing Date: Wed, 19 Mar 2008 14:54:16 -0400 Message-ID: <200803191454.16671.sgrubb@redhat.com> References: <200803191302.48434.sgrubb@redhat.com> <200803191340.22092.sgrubb@redhat.com> <29287.1205950692@turing-police.cc.vt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <29287.1205950692@turing-police.cc.vt.edu> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valdis.Kletnieks@vt.edu Cc: Linux Audit List-Id: linux-audit@redhat.com On Wednesday 19 March 2008 14:18:12 Valdis.Kletnieks@vt.edu wrote: > However, *no* amount of special tagging will allow the IDS to disambiguate > these two cases: > > 1) An audit rule was set, but no events generated because no activity > matched. In which case you have nothing to worry about. :) > 2) An audit rule wasn't set at all. Again nothing to worry about since they haven't set the system up yet. > "unless you have a matching audit rule you will not get any records" means > exactly that - so tagging the records you don't receive isn't useful. But if you don't receive any records, nothing happened. :) > There *is* the more general case of "I had a generic rule and a special > watch and *both* fired" - but that problem is in no way IDS specific, Right, this *is* something to worry about. I was thinking that we could solve this by having an option that tells the kernel to evaluate all rules and not just first match. I have also been wondering about detecting shadowed rules and warning when auditctl finishes a file. -Steve