Fwd: Reactive rules proposal
Miloslav Trmac
mitr at redhat.com
Wed Nov 25 17:49:33 UTC 2009
From: "Juraj Hlista" <juro.fit at gmail.com>
I'm working on implementation of reactive rules into the audit.
I've come up with a new type of rule (AUDIT_ALWAYS_REACT)
which is almost the same as AUDIT_ALWAYS. The only difference is that
the kernel generates one more message of type REACT_RULE when this
rule is used. For instance, let's suppose that the reactive rule was added
into the rule set with auditctl:
auditctl -a exit,react -F path=/tmp/file -F perm=r
then "cat /tmp/file" generates the following audit message:
type=REACT_RULE msg=audit(1259164875.572:4):
type=SYSCALL msg=audit(1259164875.572:4): arch=c000003e syscall=2 success=yes exit=3 a0=7fffdf4389cb a1=0 a2=2 a3=0 items=1 ppid=1148 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0fsgid=0 tty=pts1 ses=4294967295 comm="cat" exe="/bin/cat" key=(null)
type=CWD msg=audit(1259164875.572:4): cwd="/root"
type=PATH msg=audit(1259164875.572:4): item=0 name="/tmp/file" inode=27872 dev=03:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
Also, I'm working on a plugin which watches for the messages of
type REACT_RULE and makes decisions accordingly. This plugin
has a configuration file which could look like this:
variable = 0;
"action1" {
exec "program1"
add/delete rule
if (variable == 0) {
exec "program2"
}
}
The problem is that the plugin needs to recognize what reactive rules
have been reacted to. The kernel just generates messages without
any identifier.
In order to solve it, auditctl has to add an identifier to the reactive
rule somehow, for example, using -k parameter:
auditctl -a exit,react -k "action1" -F path=/tmp/file -F perm=r
Another solution would be creating a new parameter, for example, -k_react.
Any suggestions?
----------
-------------- next part --------------
An embedded message was scrubbed...
From: Juraj Hlista <juro.fit at gmail.com>
Subject: mailing list
Date: Wed, 25 Nov 2009 16:50:07 +0100
Size: 7297
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20091125/660b9ed1/attachment.eml>
More information about the Linux-audit
mailing list