[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit 0.6 release

On Thursday 06 January 2005 16:52, Browder, Tom wrote:
>From a newbie trying to satisfy my minumum audit requirements:  I've
> looked at the source briefly and wonder if you might add to TODO:
> 1.  Add a separate conf file for rules (say, /etc/audit.rules.conf; or
> put them in the /etc/auditd.conf file).  (Is that the "rules loader"?)

Yes. Its all rolled into that.

> 2.  Have rules capable of responding to a user by name (or a negation of
> user names), exit success of the syscall, and argument to the syscall
> (and syscall by name as you already mention in TODO).  (You probably do
> most of this, I just haven't figured out all the rule rules yet.)

The rule loader can probably do the translation of user to uid. Otherwise, I 
think the current framework does all this.

> 3.  Allow user formatting of messages (e.g., eliminate unwanted fields)

That might save some diskspace. I'll add this near the bottom.

> 4.  You mention log rotation in TODO, can't the system logrotate handle
> it (through the /etc/logrotate.conf file)?

No. Logrotate must stop and start daemons of they have a open descriptor. We 
need to do this ourselves.

> An example of a rule I want is to report when user X tries
> unsuccessfully to unlink a specific file.

I'm pretty sure this can be done:
assuming user x is uid 501
auditctl -a entry always -S unlink -F uid=501 arg0=file

The main issue I see is figuring out what unsuccessful means and putting that 
into syntax. < is not an option. It might be success!=0.

-Steve Grubb

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]