prelude events
Steve Grubb
sgrubb at redhat.com
Mon Aug 25 21:09:55 UTC 2008
On Monday 25 August 2008 16:47:38 LC Bruzenak wrote:
> > Yes, you'd add -k ids-file- and the one of: info, low, med, or high
> > depending on how severe you consider this access.
>
> ...and of course then that made me think if we can do this for the file
> watches, why not for user-submitted events also?
The problem is that user space originating events do not have keys. So, there
is no way to setup audit policy from the audit configuration. You could try
adding them in the message being sent to the kernel. But this then means its
hardcoded and no one can change it to something lower if they don't like it.
> Some of these I am already sending into the prelude system via patched
> audisp-prelude.c code, but I'd prefer to rip out this hack and instead just
> have a matching key identified.
There is a lot of specialized information aside from the key that must go into
an alert. Source and target of attack must be clearly identified, impact,
severity, category, etc. Not sure how to get that from a generic key. Any
ideas along this line?
-Steve
More information about the Linux-audit
mailing list