From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 18:42:49 -0400
Message-ID: <200803191842.50206.sgrubb@redhat.com>
References: <200803191302.48434.sgrubb@redhat.com> <47E18645.5060005@hp.com>
	<1205962867.6333.13.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1205962867.6333.13.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>, Valdis.Kletnieks@vt.edu
List-Id: linux-audit@redhat.com

On Wednesday 19 March 2008 17:41:07 Eric Paris wrote:
> So maybe all we need is for the ids config file needs to be of the form
>
> key type priority

And hostname. Remember that this could be run from an aggregator.


> so I can set up my audit rule however I want say
>
> -a always,exit -F perms=3Dwa -F auid>=3D500 -F exit=3D-EPERM -F dir=3D/=
etc -k
> 500EPERM -a always,exit -F perms=3Dwa -F subj_role=3Dwebadmin_r -F exit=
=3D-EPERM
> -k webadminEPERM
>
> And my ids config file would look like:
>
> 500EPERM=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0file=C2=A0=C2=A0=
=C2=A0=C2=A0med
> webadminEPERM=C2=A0=C2=A0=C2=A0exec=C2=A0=C2=A0=C2=A0=C2=A0high

This is pretty close to the idea that I started with. Then I thought, how=
 do I=20
make this engine run faster? How do I reduce memory consumption (since th=
e=20
keys have to be stored in memory)? How do I make sure that the keys are t=
here=20
and correct?


> And on startup the ids can easily look to see if 500EPERM and
> webadminEPERM are actually keys to real rules just for sanity sake. =C2=
=A0

Sure...but audit rules are loaded after auditd starts so that we can reco=
rd=20
them being put into effect. So, you would have to wait for a a while afte=
r=20
startup to do this.

> Is the reverse mapping from key to ids action really so expensive that =
this
> is unreasonable?

Consider a datacenter with many hosts that may want to run this off of th=
e=20
aggregator. There will be a high rate of incoming events and a bit of=20
comparing to figure out if each event something we care about.=20

With my proposal, I can tell with strncmp(key, "ids-", 4) if this is anyt=
hing=20
we need to pay attention to. So, inspection of 4 bytes let me decide yes/=
no.=20
Its a finite amount of time and doesn't linearly slow down the system as =
more=20
hosts and files of interest are configured. It scales well.


> I tend to also agree with the part of the discussion which says that it
> isn't audit's place to decide that some rules are meant for disk and
> some rules aren't.=20

I agree and never proposed that.

-Steve