[RFC] programmatic IDS routing
Steve Grubb
sgrubb at redhat.com
Wed Mar 19 17:55:38 UTC 2008
On Wednesday 19 March 2008 13:40:21 Steve Grubb wrote:
> On Wednesday 19 March 2008 13:12:22 Linda Knippers wrote:
> > Rather than using the key for two purposes and introducing special key
> > words, couldn't an admin just tell the IDS which he's are of interest?
> > And what the priority of each one is?
>
> The problem is that you can tell the IDS that you want any reads
> of /opt/my-secrets, but unless you have a matching audit rule you will not
> get any records. This allows you to make sure you have a watch paired with
> its meaning.
And I should add, the IDS could run on each remote system, or off an
aggregator. This means expressing rules gets more complicated when you have
to express rules as on this particular host, I am looking for files in this
location. To me, its just simpler and hopefully less error prone to use the
key field like this.
-Steve
More information about the Linux-audit
mailing list