Re: audit 0.6 release
On Thursday 06 January 2005 16:52, Browder, Tom wrote:
From a newbie trying to satisfy my minumum audit requirements:
I've
looked at the source briefly and wonder if you might add to TODO:
1. Add a separate conf file for rules (say, /etc/audit.rules.conf; or
put them in the /etc/auditd.conf file). (Is that the "rules loader"?)
Yes. Its all rolled into that.
2. Have rules capable of responding to a user by name (or a negation
of
user names), exit success of the syscall, and argument to the syscall
(and syscall by name as you already mention in TODO). (You probably do
most of this, I just haven't figured out all the rule rules yet.)
The rule loader can probably do the translation of user to uid. Otherwise, I
think the current framework does all this.
3. Allow user formatting of messages (e.g., eliminate unwanted
fields)
That might save some diskspace. I'll add this near the bottom.
4. You mention log rotation in TODO, can't the system logrotate
handle
it (through the /etc/logrotate.conf file)?
No. Logrotate must stop and start daemons of they have a open descriptor. We
need to do this ourselves.
An example of a rule I want is to report when user X tries
unsuccessfully to unlink a specific file.
I'm pretty sure this can be done:
assuming user x is uid 501
auditctl -a entry always -S unlink -F uid=501 arg0=file
The main issue I see is figuring out what unsuccessful means and putting that
into syntax. < is not an option. It might be success!=0.
-Steve Grubb