audit 0.6 release
Steve Grubb
sgrubb at redhat.com
Thu Jan 6 22:40:56 UTC 2005
On Thursday 06 January 2005 16:52, Browder, Tom wrote:
>From a newbie trying to satisfy my minumum audit requirements: I've
> looked at the source briefly and wonder if you might add to TODO:
>
> 1. Add a separate conf file for rules (say, /etc/audit.rules.conf; or
> put them in the /etc/auditd.conf file). (Is that the "rules loader"?)
Yes. Its all rolled into that.
> 2. Have rules capable of responding to a user by name (or a negation of
> user names), exit success of the syscall, and argument to the syscall
> (and syscall by name as you already mention in TODO). (You probably do
> most of this, I just haven't figured out all the rule rules yet.)
The rule loader can probably do the translation of user to uid. Otherwise, I
think the current framework does all this.
> 3. Allow user formatting of messages (e.g., eliminate unwanted fields)
That might save some diskspace. I'll add this near the bottom.
> 4. You mention log rotation in TODO, can't the system logrotate handle
> it (through the /etc/logrotate.conf file)?
No. Logrotate must stop and start daemons of they have a open descriptor. We
need to do this ourselves.
> An example of a rule I want is to report when user X tries
> unsuccessfully to unlink a specific file.
I'm pretty sure this can be done:
assuming user x is uid 501
auditctl -a entry always -S unlink -F uid=501 arg0=file
The main issue I see is figuring out what unsuccessful means and putting that
into syntax. < is not an option. It might be success!=0.
-Steve Grubb
More information about the Linux-audit
mailing list