From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 16:48:05 -0400
Message-ID: <200803191648.06265.sgrubb@redhat.com>
References: <200803191302.48434.sgrubb@redhat.com>
	<200803191528.55805.sgrubb@redhat.com>
	<1205956134.6333.4.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1205956134.6333.4.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>, Valdis.Kletnieks@vt.edu
List-Id: linux-audit@redhat.com

On Wednesday 19 March 2008 15:48:54 Eric Paris wrote:
> > Then you surely have duplicate rules controlled by 2 systems. The fir=
st
> > rule in the audit.rules file is -D which would delete not only the au=
dit
> > event rules for archival purposes, but any IDS placed rules. There is=
 not
> > a simple way of deleting the rules placed by auditctl vs the ones pla=
ced
> > by the IDS. The IDS system would also need to be prodded to reload it=
s
> > set of rules again.
>
> If someone does -D they lose no matter what no matter how we solve
> this =C2=A0:)

Well, in the way I propose, all the rest of the lines of audit.rules sets=
 it=20
back up.


> I find it objectionable that they sysadmin has to learn some new
> arbitrary key requirements.

Its not arbitrary if it follows a defined and agreed upon pattern.  ;)

> Could the ids system parse its own configuration file and automatically
> generating audit.rules.ids which is just cat'ed onto the end of audit.r=
ules
> for purposes of statup scripts and things like that?

I suppose it could, but then what if you wanted to do something complicat=
ed=20
like:

-a always,exit -F perms=3Dwa -F auid>=3D500 -F exit=3D-EPERM -F dir=3D/et=
c -k=20
ids-file-med

or=20

-a always,exit -F perms=3Dwa -F subj_role=3Dwebadmin_r -F exit=3D-EPERM -=
k=20
ids-file-med

In order to allow the expressiveness that auditctl rules could perform, y=
ou=20
need to build this into the configuration that the IDS reads. As you add =
each=20
capability, you suddenly realize you just wrote auditctl another way. So,=
 its=20
either do simplistic watches for the IDS or you wind up writing auditctl.

> Although admittedly I have no idea what happens if you do
>
> -a exit,always -S all -k hey2
> -a exit,always -S all -k key2

This would generate a lot of events, some would be trapped by the IDS, bu=
t=20
none would fall into the watched file/exec/mkexe buckets of the IDS.

-Steve