From mboxrd@z Thu Jan  1 00:00:00 1970
From: Valdis.Kletnieks@vt.edu
Subject: Re: [RFC] programmatic IDS routing
Date: Wed, 19 Mar 2008 16:09:26 -0400
Message-ID: <3256.1205957366@turing-police.cc.vt.edu>
References: <200803191302.48434.sgrubb@redhat.com>
	<200803191340.22092.sgrubb@redhat.com>
	<29287.1205950692@turing-police.cc.vt.edu>
	<200803191454.16671.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0853159261=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: Your message of "Wed, 19 Mar 2008 14:54:16 EDT."
	<200803191454.16671.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============0853159261==
Content-Type: multipart/signed; boundary="==_Exmh_1205957366_2991P";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit

--==_Exmh_1205957366_2991P
Content-Type: text/plain; charset=us-ascii

On Wed, 19 Mar 2008 14:54:16 EDT, Steve Grubb said:

>> 2) An audit rule wasn't set at all.

> Again nothing to worry about since they haven't set the system up yet.

No - it's one of the failure modes you said you were worried about:

> The problem is that you can tell the IDS that you want any reads 
> of /opt/my-secrets, but unless you have a matching audit rule you will not 
> get any records. This allows you to make sure you have a watch paired with 
> its meaning.

Exactly - if you're missing the rule, you don't get records.

Determining whether it's a problem because a rule is missing, or not a
problem because "it's not set up yet", isn't anything the kernel should be
involved in - other than to maybe notify us "Hey dood, you have exactly zero
rules set, you might want to check what happened".

> I have also been wondering about detecting shadowed rules and warning when 
> auditctl finishes a file.

I wasn't even thinking about that - I was thinking of the ones that are like
the old SNL skit - a dessert topping *and* a floor wax.  Say, one rule triggered
on an event because it's an unsuccessful open, and another rule would have
triggered because it was a reference to a watched file....

--==_Exmh_1205957366_2991P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFH4XL2cC3lWbTT17ARAlAtAKC5I8NislO9qBWKnRpwzFBvMhMfygCgnK4F
kNf2Z7rw2R7riUUKv5a/6JY=
=RJHg
-----END PGP SIGNATURE-----

--==_Exmh_1205957366_2991P--


--===============0853159261==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0853159261==--