Re: [RFC] programmatic IDS routing
On Wed, 19 Mar 2008 14:54:16 EDT, Steve Grubb said:
> 2) An audit rule wasn't set at all.
Again nothing to worry about since they haven't set the system up
yet.
No - it's one of the failure modes you said you were worried about:
The problem is that you can tell the IDS that you want any reads
of /opt/my-secrets, but unless you have a matching audit rule you will not
get any records. This allows you to make sure you have a watch paired with
its meaning.
Exactly - if you're missing the rule, you don't get records.
Determining whether it's a problem because a rule is missing, or not a
problem because "it's not set up yet", isn't anything the kernel should
be
involved in - other than to maybe notify us "Hey dood, you have exactly zero
rules set, you might want to check what happened".
I have also been wondering about detecting shadowed rules and warning
when
auditctl finishes a file.
I wasn't even thinking about that - I was thinking of the ones that are like
the old SNL skit - a dessert topping *and* a floor wax. Say, one rule triggered
on an event because it's an unsuccessful open, and another rule would have
triggered because it was a reference to a watched file....
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)