From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Reactive rules (from juro.fit@gmail.com) Date: Mon, 24 Aug 2009 15:28:50 -0400 Message-ID: <200908241528.50647.sgrubb@redhat.com> References: <1056392541.1213981250665925854.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1056392541.1213981250665925854.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: juro , Miloslav Trmac List-Id: linux-audit@redhat.com On Wednesday 19 August 2009 03:12:05 am Miloslav Trmac wrote: > I suggest that a change should be done in the kernel. The events > are filtered in it so that there is no need parsing the messages > sent to the auditd and this solution wouldn't cause any increase > in the load of the system caused by auditing. I suppose you could hook into the exclude filter and check events there. > First of all, the syntax of the rules should be changed a bit to > include reactive rules. It could look like this: > > rule1 > rule2 { > rule2_1 > rule2_2 > } > rule3 > > When an event that rule2 watches for occurs, rule2_1 and rule2_2 > will be added/removed to/from the rule set. You could also do matching based on a new field rather than change the syntax of the rules. It could work like key field except its a number. The high bit could determine if its add/delete. > The change in the syntax means a change in auditctl.c. Also, > struct audit_rule_data needs to be altered to include some flag > that makes it possible to recognize between the types of rules > when passed to the kernel. The less changed in the kABI the better. It needs to stay backward/forward compatible in different combinations of kernel and user space. -Steve