Re: Auditd and Watches

On Thursday 24 May 2007 09:53, Simmons Jr,Felix wrote: This seems slightly odd output. What kernel and audit package are you using? Yes if you are using 2.6.16 and later kernels. /usr/include/libaudit.h has this table: * 1000 - 1099 are for commanding the audit system * 1100 - 1199 user space trusted application messages * 1200 - 1299 messages internal to the audit daemon * 1300 - 1399 audit event messages * 1400 - 1499 kernel SE Linux use * 1500 - 1599 AppArmor events * 1600 - 1699 kernel crypto events * 1700 - 1799 kernel anomaly records * 1800 - 1999 future kernel use (maybe integrity labels and related events) * 2001 - 2099 unused (kernel) * 2100 - 2199 user space anomaly records * 2200 - 2299 user space actions taken in response to anomalies * 2300 - 2399 user space generated LSPP events * 2400 - 2499 user space crypto events * 2500 - 2999 future user space (maybe integrity labels and related events) So, you could do: -a exclude,always -F msgtype>=1100 -F msgtype<=1299 -a exclude,always -F msgtype>=1400 -F msgtype<=2999 Although I recommend widening the choices to allow SE Linux AVC's through. And note that if you try to type this at a command prompt, you will need quotes around "msgtype>=1100" since <> are something the shell will interpret. Yes, I am working on a IDS/IPS system, too. But it doesn't use the logs, rather it uses the realtime interface so it can react in realtime. I made a presentation about it at the Red Hat Summit a couple weeks ago and put my presentation here: http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp To some extent that is what's driving development and requirements for the audit event dispatcher and the audit parsing library. -Steve