From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] mapping of reactions
Date: Tue, 6 Apr 2010 09:53:56 -0400
Message-ID: <201004060953.56610.sgrubb@redhat.com>
References: <2098439088.299041270060589834.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
	<1270474718.8697.15.camel@lcb>
	<m2u58f704b21004060213l1fbbae8cyc90b0d2a2b0b96bc@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <m2u58f704b21004060213l1fbbae8cyc90b0d2a2b0b96bc@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 06 April 2010 05:13:49 am Juraj Hlista wrote:
> The patches were denied, because it can be implemented without
> touching the kernel (in the audit plugin, which I'm working on now)

Yes. It should be possible to set a list of parameters to match against and 
then run auditctl when a match is found. Auditctl can delete by key, so if you 
have a set of rules for a specific reaction, then you can add a key to the 
rules. Then if another rules is matched that would want to delete the rules, 
you can do that. For example, mount might require adding rules, unmount would 
probably delete any watches, but you can make sure everything is gone with a 
second match. Same thing with logon/logoff of a specific user.

-Steve