Re: [RFC] programmatic IDS routing

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Linda Knippers <linda.knippers@hp.com>
Cc: Linux Audit <linux-audit@redhat.com>, Valdis.Kletnieks@vt.edu
Subject: Re: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 17:01:35 -0400	[thread overview]
Message-ID: <200803191701.35669.sgrubb@redhat.com> (raw)
In-Reply-To: <47E16FAB.4010601@hp.com>

On Wednesday 19 March 2008 15:55:23 Linda Knippers wrote:
> > Because this IDS is part of the audit system.
>
> Is there something that describes what you're building so we can
> have the right context to comment on this?

I presented this:

http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp

at last year's Red Hat Summit. The idea is roughly the same, but the 
configuration is slightly different.

> I assumed you were building something that would be a dispatcher plug-in or
> something rather than building something new into the core audit subsystem.

It is. Its tightly integrated.

> >> If an IDS has a dependency on audit and specific audit rules to get the
> >> information it needs, it can use the information in its config file to
> >> construct the audit rules it needs.
> >
> > Then you surely have duplicate rules controlled by 2 systems. The first
> > rule in the audit.rules file is -D which would delete not only the audit
> > event rules for archival purposes, but any IDS placed rules. There is not
> > a simple way of deleting the rules placed by auditctl vs the ones placed
> > by the IDS. The IDS system would also need to be prodded to reload its
> > set of rules again.
>
> An IDS should be able to be prodded to reload its rules.

Sure, but you have the audit system loading CAPP rules with all those watches 
and then maybe the admin wants any write to shadow to be a high alert since 
he's the only user and won't be changing his password. We would either need 
to analyze the rules and make sure they are simplistic enough for the IDS to 
be guaranteed an event, or just add more rules to make sure we got 'em. In 
this case, we may windup creating records that the admin did not want on the 
disk. 

i just see this as progressing into a mess. We have 2 things that have 
different ideas about what needs to be tracked. Neither understanding why the 
other is doing something and not happy because either too much data is going 
to disk or not enough events to trap something important.

By using the key field, its in plain sight and done with purpose. Not enough 
events to trap something important, widen it in audit.rules and you also know 
that this will send more to disk. No suprises there.

-Steve

next prev parent reply	other threads:[~2008-03-19 21:01 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-19 17:02 [RFC] programmatic IDS routing Steve Grubb
2008-03-19 17:12 ` Linda Knippers
2008-03-19 17:40   ` Steve Grubb
2008-03-19 17:55     ` Steve Grubb
2008-03-19 18:18     ` Valdis.Kletnieks
2008-03-19 18:54       ` Steve Grubb
2008-03-19 20:09         ` Valdis.Kletnieks
2008-03-19 18:05 ` Valdis.Kletnieks
2008-03-19 18:40   ` Steve Grubb
2008-03-19 19:04     ` Linda Knippers
2008-03-19 19:28       ` Steve Grubb
2008-03-19 19:48         ` Eric Paris
2008-03-19 20:48           ` Steve Grubb
2008-03-19 19:55         ` Linda Knippers
2008-03-19 21:01           ` Steve Grubb [this message]
2008-03-19 21:31             ` Linda Knippers
2008-03-19 21:41               ` Eric Paris
2008-03-19 22:42                 ` Steve Grubb
2008-03-19 23:00                   ` Linda Knippers
2008-03-19 23:44                     ` Steve Grubb
2008-03-20 13:32                       ` Linda Knippers
2008-03-20 13:53                         ` Steve Grubb
2008-03-21 10:28                           ` Klaus Heinrich Kiwi
2008-03-21 12:50                             ` Steve Grubb
2008-03-21 14:14                               ` LC Bruzenak
2008-03-21 15:01                                 ` Steve Grubb
2008-03-21 16:32                                   ` LC Bruzenak
2008-03-24 13:13                                   ` Klaus Heinrich Kiwi
2008-03-20 12:19               ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200803191701.35669.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=linda.knippers@hp.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox