[PATCH] audit keys: support for multiple audit keys
Steve Grubb
sgrubb at redhat.com
Fri Mar 12 20:53:31 UTC 2010
On Friday 12 March 2010 03:24:38 pm Juraj Hlista wrote:
> On Fri, Mar 12, 2010 at 8:40 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > OK, I see. What I would suggest is a mechanism with a new name. One thing
> > I will point out is that the kernel prefers to work off of integers
> > instead of strings. Strings are for people, numbers are for the
> > computer. (E.g. root vs 0.) So, I would consider calling this something
> > else and using integers so that comparisons are faster.
> >
> I intended to use a separate configuration file for the reactive plugin
> where definitions of reactions are kept, for instance:
>
> "reaction1" {
> add "exit,always -S open ...."
> exec "...."
> }
>
> "reaction2" {
> ...
> }
>
> where "reaction1" "reaction2" are identifiers of reactions.
You can have strings for the config file and listing out, but the kernel really
operates off of numbers as much as possible. IOW, the external and internal
representation do not have to be the same. you could have detect=1 and react=1
so that when a rule triggers, you have an integer of what was detected which
also serves as an index into a reaction list.
> Do you suggest I should use numbers instead of strings within the
> configuration file?
I would think about it more and see if I could get it down to numbers somehow.
-Steve
More information about the Linux-audit
mailing list