audit 0.6 release

[Casey Schaufler]

--- "Browder, Tom" <Tom.Browder at fwb.srs.com> wrote:

> An example of a rule I want is to report when user X
> tries
> unsuccessfully to unlink a specific file.

Just to give you an idea of the magnitude of
what you're asking for:

    1. Real UID == X, effective UID == X, logged on
       as user X, or providing a remote service on
       behalf of user X?

    2. Unsuccessflly because he misspelled the path?

    3. Do you want to include rename with unlink?
       What about unmounting the file system the
       file is on?

    4. Do you mean the path name "/tmp/foo", or the
       inode 86753 on the root file system? What
       about symlinks, mount points, and/or pseudo
       filesystem redirections?

If the rules are kept in the kernel, how do you
intend to do that? You'll have to check either
every access to the file (assuming you know which
one it is) for unlinks or every unlink to see if
it's the file you're after.

If the audit daemon is going to look for this
event the kernel has to generate any event that
might fit the bill.


I don't want to discourage anyone from putting
a compiler to their shoulder and lending a hand,
but the simple rule suggested is a lot trickier
than it looks. If you haven't read the current
project design it might be a good idea to do so.


=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250