Re: key in syscall audit rules.
On Friday 20 May 2005 13:21, Steve Grubb wrote:
<snip>
I can think of more good reasons...but I think David wants to hear
from
other
people than myself.
We should talk on Tuesday and list and prioritize everything, including the
"nice to haves", that are left to do for development in both the kernel and
user space. If this work is not _needed_ for the CAPP evaluation then it
should be done after the freeze, IMO. It is a very useful feature, no doubt,
but there's a greater goal here
Then there is another part to the question...should the
key be numeric or a text string?
For human factors, I believe it should be a string. It would be good for
other
people to state an opinion. Additionally, by having only a number for
syscall
auditing - if you want to make it correlate with filesystem auditing,
you
will have to choose a number also so searching produces the right results.
I personally think keys are best stored numerically as hashes (a kind of
cookie if you will) in the kernel and then, if need be, translated into
something more meaningful to human eyes in userland. However, we just don't
have the resources right now to fully develop and test this strategy. And,
if we only go half way and convert them to numeric representations, this will
do no good for the administrator and we might as well not have them at all
(which isn't acceptable).
Grouping rules together and associating records can be done other ways without
the use of a string key. For instance, we could add rules to "groups" such
that one could correlate records by this association (which would just be an
integer id).... This would require a list of lists rather then just a list,
for rules. Again, resources would be the limiting factor. Anyway, I'm a
dreamer and it's Friday.
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
--
-tim