Re: [PATCH] audit keys: support for multiple audit keys
On Fri, Mar 12, 2010 at 1:45 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday 12 March 2010 02:44:22 am Juraj Hlista wrote:
> An audit rule can have more than 1 key, the keys can be of
> different types (only AUDIT_FILTERKEY for now)
We discussed this about 2 years ago and came up with this solution:
https://www.redhat.com/archives/linux-audit/2008-March/msg00125.html
> For example, it is possible to create a rule such as:
> auditctl -a exit,always -F path=/file -F key=k1 -F key=k2 -F key=k3
Any audit package since 1.7 supports this syntax already. What does this patch
provide that we don't already have? IOW, we already solved this problem 2
years ago, I am wondering if you knew we already can do this?
-Steve
I knew that more keys can be added with the 0x01 separator. However, this patch
supports different types of keys and plugins could recognize audit
events using them.
For example, I'm working on reactive audit and I need to separate normal audit
events from those generated by reactive rules and find out which
reaction(s) should
be triggered. -F react=reaction can be added to the audit (AUDIT_REACTKEY) and
audit events would include reaction identifiers such as react="reaction"
Also, I know about "ids-..." key and I could use something like
"react-...", but the
plugin would have to go through all the key="..." and compare, which
of them have
"react-" at the beginning.