Re: Reactive rules (from juro.fit@gmail.com)
On Wednesday 19 August 2009 03:12:05 am Miloslav Trmac wrote:
I suggest that a change should be done in the kernel. The events
are filtered in it so that there is no need parsing the messages
sent to the auditd and this solution wouldn't cause any increase
in the load of the system caused by auditing.
I suppose you could hook into the exclude filter and check events there.
First of all, the syntax of the rules should be changed a bit to
include reactive rules. It could look like this:
rule1
rule2 {
rule2_1
rule2_2
}
rule3
When an event that rule2 watches for occurs, rule2_1 and rule2_2
will be added/removed to/from the rule set.
You could also do matching based on a new field rather than change the syntax
of the rules. It could work like key field except its a number. The high bit
could determine if its add/delete.
The change in the syntax means a change in auditctl.c. Also,
struct audit_rule_data needs to be altered to include some flag
that makes it possible to recognize between the types of rules
when passed to the kernel.
The less changed in the kABI the better. It needs to stay backward/forward
compatible in different combinations of kernel and user space.
-Steve