[RFC] programmatic IDS routing
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Mar 19 20:09:26 UTC 2008
On Wed, 19 Mar 2008 14:54:16 EDT, Steve Grubb said:
>> 2) An audit rule wasn't set at all.
> Again nothing to worry about since they haven't set the system up yet.
No - it's one of the failure modes you said you were worried about:
> The problem is that you can tell the IDS that you want any reads
> of /opt/my-secrets, but unless you have a matching audit rule you will not
> get any records. This allows you to make sure you have a watch paired with
> its meaning.
Exactly - if you're missing the rule, you don't get records.
Determining whether it's a problem because a rule is missing, or not a
problem because "it's not set up yet", isn't anything the kernel should be
involved in - other than to maybe notify us "Hey dood, you have exactly zero
rules set, you might want to check what happened".
> I have also been wondering about detecting shadowed rules and warning when
> auditctl finishes a file.
I wasn't even thinking about that - I was thinking of the ones that are like
the old SNL skit - a dessert topping *and* a floor wax. Say, one rule triggered
on an event because it's an unsuccessful open, and another rule would have
triggered because it was a reference to a watched file....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080319/c440a434/attachment.sig>
More information about the Linux-audit
mailing list