New operators for rules
Amy Griffis
amy.griffis at hp.com
Fri Oct 7 12:55:41 UTC 2005
Steve Grubb wrote: [Thu Oct 06 2005, 03:47:23PM EDT]
> On Thursday 06 October 2005 08:39, Amy Griffis wrote:
> > > We have to do this in a way that is backward compatible for old
> > > kernels.
> >
> > Where is this requirement coming from?
>
> If you are using fedora 4 and upgrade your kernel, you expect
> everything to keep working.
It will. The problem is that specifying new rules with comparison
operators will not work on older kernels, and will produce unintended
results. So upgrading the audit tools to a version providing this
feature would require a kernel upgrade as well.
> > > Any ideas? Any preferred bit patterns?
> >
> > If this had been included as part of the original design, older
> > kernels would have been masking out a set of bits for operator flags,
> > instead of just a single bit. ?Since that isn't the case, I don't see
> > any way to make it backward compatible other than requiring user-space
> > tools to be aware of the kernel version and send the appropriate bits.
>
> Sure, its simple to do. If the next set of bits have something in
> it, use it, otherwise use the old one. This means 000 is backwards
> compatible. 101 could be mapped to range.
Right, in new kernels. In older kernels, 101 doesn't mean anything.
> > How about introducing this feature in a 2.0 release?
>
> 2.0 of what? We are presumably working on kernel 2.6.1x.
I was referring to audit tools 2.0. If you feel uncomfortable
requiring a kernel upgrade with minor version update, save the feature
for the next major version of the audit tools.
Amy
More information about the Linux-audit
mailing list