[RFC] programmatic IDS routing

Linda Knippers linda.knippers at hp.com
Wed Mar 19 23:00:41 UTC 2008 

Steve Grubb wrote:
> On Wednesday 19 March 2008 17:41:07 Eric Paris wrote:
>> So maybe all we need is for the ids config file needs to be of the form
>>
>> key type priority
> 
> And hostname. Remember that this could be run from an aggregator.
> 
> 
>> so I can set up my audit rule however I want say
>>
>> -a always,exit -F perms=wa -F auid>=500 -F exit=-EPERM -F dir=/etc -k
>> 500EPERM -a always,exit -F perms=wa -F subj_role=webadmin_r -F exit=-EPERM
>> -k webadminEPERM
>>
>> And my ids config file would look like:
>>
>> 500EPERM        file    med
>> webadminEPERM   exec    high
> 
> This is pretty close to the idea that I started with. Then I thought, how do I 
> make this engine run faster? How do I reduce memory consumption (since the 
> keys have to be stored in memory)? 

How does overloading the key field help either of those?

> How do I make sure that the keys are there and correct?

That can be a startup check.
> 
>> And on startup the ids can easily look to see if 500EPERM and
>> webadminEPERM are actually keys to real rules just for sanity sake.  
> 
> Sure...but audit rules are loaded after auditd starts so that we can record 
> them being put into effect. So, you would have to wait for a a while after 
> startup to do this.

So the IDS starts after auditd, but it depends on auditd anyway.
> 
>> Is the reverse mapping from key to ids action really so expensive that this
>> is unreasonable?
> 
> Consider a datacenter with many hosts that may want to run this off of the 
> aggregator. There will be a high rate of incoming events and a bit of 
> comparing to figure out if each event something we care about. 

I think if someone is using audit as an IDS, they're going to care about
everything they're auditing or why are they auditing it?
> 
> With my proposal, I can tell with strncmp(key, "ids-", 4) if this is anything 
> we need to pay attention to. So, inspection of 4 bytes let me decide yes/no. 

Who is doing this, the auditd, the dispatcher or the plugin?
Couldn't you hash the key?

> Its a finite amount of time and doesn't linearly slow down the system as more 
> hosts and files of interest are configured. It scales well.
> 
> 
>> I tend to also agree with the part of the discussion which says that it
>> isn't audit's place to decide that some rules are meant for disk and
>> some rules aren't. 
> 
> I agree and never proposed that.

I guess Eric and I were both confused then by your comment about the
admin ending up with more audit events on disk than intended.

-- ljk
> 
> -Steve

More information about the Linux-audit mailing list