Reactive rules (from juro.fit at gmail.com)
Steve Grubb
sgrubb at redhat.com
Mon Aug 24 19:28:50 UTC 2009
On Wednesday 19 August 2009 03:12:05 am Miloslav Trmac wrote:
> I suggest that a change should be done in the kernel. The events
> are filtered in it so that there is no need parsing the messages
> sent to the auditd and this solution wouldn't cause any increase
> in the load of the system caused by auditing.
I suppose you could hook into the exclude filter and check events there.
> First of all, the syntax of the rules should be changed a bit to
> include reactive rules. It could look like this:
>
> rule1
> rule2 {
> rule2_1
> rule2_2
> }
> rule3
>
> When an event that rule2 watches for occurs, rule2_1 and rule2_2
> will be added/removed to/from the rule set.
You could also do matching based on a new field rather than change the syntax
of the rules. It could work like key field except its a number. The high bit
could determine if its add/delete.
> The change in the syntax means a change in auditctl.c. Also,
> struct audit_rule_data needs to be altered to include some flag
> that makes it possible to recognize between the types of rules
> when passed to the kernel.
The less changed in the kABI the better. It needs to stay backward/forward
compatible in different combinations of kernel and user space.
-Steve
More information about the Linux-audit
mailing list