Re: [PATCH] audit keys: support for multiple audit keys
On Fri, Mar 12, 2010 at 8:40 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday 12 March 2010 10:25:31 am Juraj Hlista wrote:
> I knew that more keys can be added with the 0x01 separator. However, this
> patch supports different types of keys and plugins could recognize audit
> events using them.
>
> For example, I'm working on reactive audit and I need to separate normal
> audit events from those generated by reactive rules and find out which
> reaction(s) should
> be triggered. -F react=reaction can be added to the audit (AUDIT_REACTKEY)
> and audit events would include reaction identifiers such as
> react="reaction"
OK, I see. What I would suggest is a mechanism with a new name. One thing I
will point out is that the kernel prefers to work off of integers instead of
strings. Strings are for people, numbers are for the computer. (E.g. root vs
0.) So, I would consider calling this something else and using integers so
that comparisons are faster.
-Steve
I intended to use a separate configuration file for the reactive plugin where
definitions of reactions are kept, for instance:
"reaction1" {
add "exit,always -S open ...."
exec "...."
}
"reaction2" {
...
}
where "reaction1" "reaction2" are identifiers of reactions.
Do you suggest I should use numbers instead of strings within the
configuration file?