prelude events
LC Bruzenak
lenny at magitekltd.com
Mon Aug 25 21:03:32 UTC 2008
On Mon, 2008-08-25 at 15:47 -0500, LC Bruzenak wrote:
> On Mon, 2008-08-25 at 16:41 -0400, Steve Grubb wrote:
> > On Monday 25 August 2008 16:24:35 LC Bruzenak wrote:
> > > I think I just saw the answer in the audisp-prelude man page:
> > > ...
> > > -w /etc/shadow -p wa
> > >
> > > and you want idmef alerts on this, you need to add -k
> > > ids-file-med or something appropriate to signal to the plugin
> > > that this message is for it.
> >
> > Yes, you'd add -k ids-file- and the one of: info, low, med, or high
> > depending on how severe you consider this access.
> >
> > -Steve
>
> ...and of course then that made me think if we can do this for the file
> watches, why not for user-submitted events also? Some of these I am
> already sending into the prelude system via patched audisp-prelude.c
> code, but I'd prefer to rip out this hack and instead just have a
> matching key identified.
I don't know why I cannot think until after I hit the "send" button...
:)
The problem there is that I still want to build the prelude event with
some added name=value information I stuck in to the audit event text,
which I'd like to see in the prewikka viewer.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list