[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: audit 0.6 release



> -----Original Message-----
> From: linux-audit-bounces redhat com 
> [mailto:linux-audit-bounces redhat com] On Behalf Of Steve Grubb
> Subject: audit 0.6 release
> is getting closer. If you see missing functionality that's 
> not on the TODO list in the top directory, let me know. If 
> you have patches...even better.

>From a newbie trying to satisfy my minumum audit requirements:  I've
looked at the source briefly and wonder if you might add to TODO:

1.  Add a separate conf file for rules (say, /etc/audit.rules.conf; or
put them in the /etc/auditd.conf file).  (Is that the "rules loader"?)

2.  Have rules capable of responding to a user by name (or a negation of
user names), exit success of the syscall, and argument to the syscall
(and syscall by name as you already mention in TODO).  (You probably do
most of this, I just haven't figured out all the rule rules yet.)

3.  Allow user formatting of messages (e.g., eliminate unwanted fields)

4.  You mention log rotation in TODO, can't the system logrotate handle
it (through the /etc/logrotate.conf file)?

An example of a rule I want is to report when user X tries
unsuccessfully to unlink a specific file.

I'm at the point where I want to hack the code as is just to get my
minimum requirements, so I'm happy to help out if you can use me.

-Tom Browder


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]