[RFC] programmatic IDS routing
Steve Grubb
sgrubb at redhat.com
Wed Mar 19 17:40:21 UTC 2008
On Wednesday 19 March 2008 13:12:22 Linda Knippers wrote:
> Rather than using the key for two purposes and introducing special key
> words, couldn't an admin just tell the IDS which he's are of interest?
> And what the priority of each one is?
The problem is that you can tell the IDS that you want any reads
of /opt/my-secrets, but unless you have a matching audit rule you will not
get any records. This allows you to make sure you have a watch paired with
its meaning.
-Steve
More information about the Linux-audit
mailing list