Re: [PATCH] audit: Reactive rules
On Wed, Mar 31, 2010 at 12:23 AM, Al Viro <viro(a)zeniv.linux.org.uk> wrote:
On Wed, Mar 31, 2010 at 12:17:11AM +0200, Juraj Hlista wrote:
> From: Juraj Hlista <juro.hlista(a)gmail.com>
>
> Add support for reactive rules. An audit rule can contain more than one reaction. The
reactions are identified by numbers in the kernel and by strings in the user space.
Huh? We already have a way to associate a unique key with a rule; what does
that patch offer that can't be happily handled by userland with what we
already have?
If the key was used to associate reactions with a rule, it could be
done, for example, by adding "react-" prefix to the key (-F
key=react-r1). In order to detect if there was a match found with a
reactive rule, every single audit event would have to be checked
whether it includes the key with "react-" prefix, which is not
effective.
There is no need parsing audit events and check if they have such a
key. When there was found a match with a reactive rule, the patch adds
a new record at the beginning of an audit event, for example:
type=REACT_RULE msg=audit(1270026004.497:4): react=1
type=SYSCALL msg=audit(1270026004.497:4): arch=c000003e syscall=2
success=yes exit=3 a0=7fff8022f767 a1=941 a2=1b6 a3=7fff8022e040
items=2 ppid=2777 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="touch"
exe="/bin/touch" key=(null)
type=CWD msg=audit(1270026004.497:4): cwd="/root"
type=PATH msg=audit(1270026004.497:4): item=0 name="/tmp/" inode=8112
dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1270026004.497:4): item=1 name="/tmp/file"
inode=9400 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
The user space only checks the type of the record instead of parsing
it and looking for the keys. The REACT_RULE record has only a list of
reactions - mapping reaction numbers to strings is described in:
https://www.redhat.com/archives/linux-audit/2010-March/msg00040.html