Re: [PATCH] mapping of reactions
On Tuesday 06 April 2010 05:13:49 am Juraj Hlista wrote:
The patches were denied, because it can be implemented without
touching the kernel (in the audit plugin, which I'm working on now)
Yes. It should be possible to set a list of parameters to match against and
then run auditctl when a match is found. Auditctl can delete by key, so if you
have a set of rules for a specific reaction, then you can add a key to the
rules. Then if another rules is matched that would want to delete the rules,
you can do that. For example, mount might require adding rules, unmount would
probably delete any watches, but you can make sure everything is gone with a
second match. Same thing with logon/logoff of a specific user.
-Steve