From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: prelude events Date: Mon, 25 Aug 2008 17:09:55 -0400 Message-ID: <200808251709.55257.sgrubb@redhat.com> References: <1219695605.7022.807.camel@homeserver> <200808251641.47803.sgrubb@redhat.com> <1219697258.7022.815.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1219697258.7022.815.camel@homeserver> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: LC Bruzenak Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday 25 August 2008 16:47:38 LC Bruzenak wrote: > > Yes, you'd add =C2=A0-k ids-file- =C2=A0and the one of: info, low, me= d, or high > > depending on how severe you consider this access. > > ...and of course then that made me think if we can do this for the file > watches, why not for user-submitted events also?=20 The problem is that user space originating events do not have keys. So, t= here=20 is no way to setup audit policy from the audit configuration. You could t= ry=20 adding them in the message being sent to the kernel. But this then means = its=20 hardcoded and no one can change it to something lower if they don't like = it. > Some of these I am already sending into the prelude system via patched > audisp-prelude.c code, but I'd prefer to rip out this hack and instead = just > have a matching key identified. There is a lot of specialized information aside from the key that must go= into=20 an alert. Source and target of attack must be clearly identified, impact,= =20 severity, category, etc. Not sure how to get that from a generic key. Any= =20 ideas along this line? -Steve