[PATCH] audit keys: support for multiple audit keys
Juraj Hlista
juro.hlista at gmail.com
Fri Mar 12 20:24:38 UTC 2010
On Fri, Mar 12, 2010 at 8:40 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Friday 12 March 2010 10:25:31 am Juraj Hlista wrote:
>> I knew that more keys can be added with the 0x01 separator. However, this
>> patch supports different types of keys and plugins could recognize audit
>> events using them.
>>
>> For example, I'm working on reactive audit and I need to separate normal
>> audit events from those generated by reactive rules and find out which
>> reaction(s) should
>> be triggered. -F react=reaction can be added to the audit (AUDIT_REACTKEY)
>> and audit events would include reaction identifiers such as
>> react="reaction"
>
> OK, I see. What I would suggest is a mechanism with a new name. One thing I
> will point out is that the kernel prefers to work off of integers instead of
> strings. Strings are for people, numbers are for the computer. (E.g. root vs
> 0.) So, I would consider calling this something else and using integers so
> that comparisons are faster.
>
> -Steve
>
I intended to use a separate configuration file for the reactive plugin where
definitions of reactions are kept, for instance:
"reaction1" {
add "exit,always -S open ...."
exec "...."
}
"reaction2" {
...
}
where "reaction1" "reaction2" are identifiers of reactions.
Do you suggest I should use numbers instead of strings within the
configuration file?
More information about the Linux-audit
mailing list