[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] programmatic IDS routing

On Wednesday 19 March 2008 14:18:12 Valdis Kletnieks vt edu wrote:
> However, *no* amount of special tagging will allow the IDS to disambiguate
> these two cases:
> 1) An audit rule was set, but no events generated because no activity
> matched.

In which case you have nothing to worry about.  :)

> 2) An audit rule wasn't set at all.

Again nothing to worry about since they haven't set the system up yet.

> "unless you have a matching audit rule you will not get any records" means
> exactly that - so tagging the records you don't receive isn't useful.

But if you don't receive any records, nothing happened. :)

> There *is* the more general case of "I had a generic rule and a special
> watch and *both* fired" - but that problem is in no way IDS specific,

Right, this *is* something to worry about. I was thinking that we could solve 
this by having an option that tells the kernel to evaluate all rules and not 
just first match.

I have also been wondering about detecting shadowed rules and warning when 
auditctl finishes a file.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]