From: Steve Grubb <sgrubb@redhat.com>
To: Juraj Hlista <juro.hlista@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] audit keys: support for multiple audit keys
Date: Fri, 12 Mar 2010 15:53:31 -0500 [thread overview]
Message-ID: <201003121553.31275.sgrubb@redhat.com> (raw)
In-Reply-To: <58f704b21003121224yc3db45fk7b6ff44d20534cad@mail.gmail.com>
On Friday 12 March 2010 03:24:38 pm Juraj Hlista wrote:
> On Fri, Mar 12, 2010 at 8:40 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > OK, I see. What I would suggest is a mechanism with a new name. One thing
> > I will point out is that the kernel prefers to work off of integers
> > instead of strings. Strings are for people, numbers are for the
> > computer. (E.g. root vs 0.) So, I would consider calling this something
> > else and using integers so that comparisons are faster.
> >
> I intended to use a separate configuration file for the reactive plugin
> where definitions of reactions are kept, for instance:
>
> "reaction1" {
> add "exit,always -S open ...."
> exec "...."
> }
>
> "reaction2" {
> ...
> }
>
> where "reaction1" "reaction2" are identifiers of reactions.
You can have strings for the config file and listing out, but the kernel really
operates off of numbers as much as possible. IOW, the external and internal
representation do not have to be the same. you could have detect=1 and react=1
so that when a rule triggers, you have an integer of what was detected which
also serves as an index into a reaction list.
> Do you suggest I should use numbers instead of strings within the
> configuration file?
I would think about it more and see if I could get it down to numbers somehow.
-Steve
prev parent reply other threads:[~2010-03-12 20:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-10 17:24 [PATCH] audit keys: support for multiple audit keys Juraj Hlista
2010-03-12 7:44 ` Juraj Hlista
2010-03-12 11:31 ` Alexander Viro
2010-03-12 12:45 ` Steve Grubb
2010-03-12 15:25 ` Juraj Hlista
2010-03-12 19:40 ` Steve Grubb
2010-03-12 20:24 ` Juraj Hlista
2010-03-12 20:53 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201003121553.31275.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=juro.hlista@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox