[RFC] programmatic IDS routing

Steve Grubb sgrubb at redhat.com
Wed Mar 19 17:40:21 UTC 2008


On Wednesday 19 March 2008 13:12:22 Linda Knippers wrote:
> Rather than using the key for two purposes and introducing special key
> words, couldn't an admin just tell the IDS which he's are of interest?
> And what the priority of each one is?

The problem is that you can tell the IDS that you want any reads 
of /opt/my-secrets, but unless you have a matching audit rule you will not 
get any records. This allows you to make sure you have a watch paired with 
its meaning.

-Steve




More information about the Linux-audit mailing list