Re: prelude events
On Monday 25 August 2008 16:47:38 LC Bruzenak wrote:
> Yes, you'd add -k ids-file- and the one of: info, low,
med, or high
> depending on how severe you consider this access.
...and of course then that made me think if we can do this for the file
watches, why not for user-submitted events also?
The problem is that user space originating events do not have keys. So, there
is no way to setup audit policy from the audit configuration. You could try
adding them in the message being sent to the kernel. But this then means its
hardcoded and no one can change it to something lower if they don't like it.
Some of these I am already sending into the prelude system via
patched
audisp-prelude.c code, but I'd prefer to rip out this hack and instead just
have a matching key identified.
There is a lot of specialized information aside from the key that must go into
an alert. Source and target of attack must be clearly identified, impact,
severity, category, etc. Not sure how to get that from a generic key. Any
ideas along this line?
-Steve