[RFC] programmatic IDS routing
Eric Paris
eparis at redhat.com
Wed Mar 19 19:48:54 UTC 2008
On Wed, 2008-03-19 at 15:28 -0400, Steve Grubb wrote:
> On Wednesday 19 March 2008 15:04:57 Linda Knippers wrote:
> > I'm not sure why all of the above apply.
>
> Because this IDS is part of the audit system.
>
> > If an IDS has a dependency on audit and specific audit rules to get the
> > information it needs, it can use the information in its config file to
> > construct the audit rules it needs.
>
> Then you surely have duplicate rules controlled by 2 systems. The first rule
> in the audit.rules file is -D which would delete not only the audit event
> rules for archival purposes, but any IDS placed rules. There is not a simple
> way of deleting the rules placed by auditctl vs the ones placed by the IDS.
> The IDS system would also need to be prodded to reload its set of rules
> again.
If someone does -D they lose no matter what no matter how we solve
this :)
I find it objectionable that they sysadmin has to learn some new
arbitrary key requirements. Could the ids system parse its own
configuration file and automatically generating audit.rules.ids which is
just cat'ed onto the end of audit.rules for purposes of statup scripts
and things like that? Then I wouldn't have a problem with it setting
its own key however it wanted the key. Although admittedly I have no
idea what happens if you do
-a exit,always -S all -k hey2
-a exit,always -S all -k key2
More information about the Linux-audit
mailing list