audit 0.6 release

Browder, Tom Tom.Browder at fwb.srs.com
Thu Jan 6 21:52:50 UTC 2005


> -----Original Message-----
> From: linux-audit-bounces at redhat.com 
> [mailto:linux-audit-bounces at redhat.com] On Behalf Of Steve Grubb
> Subject: audit 0.6 release
> is getting closer. If you see missing functionality that's 
> not on the TODO list in the top directory, let me know. If 
> you have patches...even better.

>From a newbie trying to satisfy my minumum audit requirements:  I've
looked at the source briefly and wonder if you might add to TODO:

1.  Add a separate conf file for rules (say, /etc/audit.rules.conf; or
put them in the /etc/auditd.conf file).  (Is that the "rules loader"?)

2.  Have rules capable of responding to a user by name (or a negation of
user names), exit success of the syscall, and argument to the syscall
(and syscall by name as you already mention in TODO).  (You probably do
most of this, I just haven't figured out all the rule rules yet.)

3.  Allow user formatting of messages (e.g., eliminate unwanted fields)

4.  You mention log rotation in TODO, can't the system logrotate handle
it (through the /etc/logrotate.conf file)?

An example of a rule I want is to report when user X tries
unsuccessfully to unlink a specific file.

I'm at the point where I want to hack the code as is just to get my
minimum requirements, so I'm happy to help out if you can use me.

-Tom Browder




More information about the Linux-audit mailing list