[RFC] programmatic IDS routing
Steve Grubb
sgrubb at redhat.com
Wed Mar 19 18:54:16 UTC 2008
On Wednesday 19 March 2008 14:18:12 Valdis.Kletnieks at vt.edu wrote:
> However, *no* amount of special tagging will allow the IDS to disambiguate
> these two cases:
>
> 1) An audit rule was set, but no events generated because no activity
> matched.
In which case you have nothing to worry about. :)
> 2) An audit rule wasn't set at all.
Again nothing to worry about since they haven't set the system up yet.
> "unless you have a matching audit rule you will not get any records" means
> exactly that - so tagging the records you don't receive isn't useful.
But if you don't receive any records, nothing happened. :)
> There *is* the more general case of "I had a generic rule and a special
> watch and *both* fired" - but that problem is in no way IDS specific,
Right, this *is* something to worry about. I was thinking that we could solve
this by having an option that tells the kernel to evaluate all rules and not
just first match.
I have also been wondering about detecting shadowed rules and warning when
auditctl finishes a file.
-Steve
More information about the Linux-audit
mailing list