key in syscall audit rules.

David Woodhouse dwmw2 at infradead.org
Fri May 20 23:45:34 UTC 2005 

On Fri, 2005-05-20 at 14:21 -0400, Steve Grubb wrote:
> David's question comes from a long dialog between he and myself. He is looking 
> for an actual scenario where it would help. I have already thought of many 
> uses...but I think he wants a real life scenario where it may help.

Indeed I do. And a _specific_ example, at that.

> I can see the use for correlating syscall audits that are cooperatively 
> working together. Right now, all fields added to a search get "anded" 
> together. The way you get an "or" is to create another rule. But if you 
> wanted to keep the 2 rules together so you can pick any related events out of 
> a gigabyte of data, keys would be helpful.

I don't see how they help. Even just loading the log in 'less' and using
a regex, I can go looking for these 'related events' of which you speak
without adding complexity to the kernel.

> If you have to do inode auditing and want a label to remind yourself what the 
> inode maps to, keys are needed.

If the user needs a 'reminder' about what it is that she's auditing,
then her problems are more severe than we can hope to help her with.

> If you want to have file audit and syscall audits to cover a specific 
> requirement and be able to find them by searching, keys are needed.

Again, no. You don't need keys and as I said before you may even miss
events if you use just keys for it, because a given event might be
matched by more than one rule.

> If you want to have some rules that are in effect at boot and be able to 
> *easily* pick them out for deletion once the system is operational, keys are 
> needed.

You're thinking of the trick of logging all opens during system boot?
Again, you don't need keys. You just look for all the open syscalls
between startup and some point you choose as the endpoint. It isn't
hard.

> If you want to look at the data that was captured by the above boot scenario 
> and not see all the other data that may be similar, keys are needed.

OK, this is a slightly more specific example of the case immediately
above, but it's still far too hand-wavy. Show a sample logfile, show me
how keys would help. I don't believe they would.

> I can think of more good reasons...but I think David wants to hear from other 
> people than myself. 

I'd like to hear _specific_ examples of how keys would actually be
useful in _practice_. I'm not really averse to adding them -- I've
already done a first attempt at it, after all -- but I'm not convinced
it's really worth it.

-- 
dwmw2

More information about the Linux-audit mailing list