[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] mapping of reactions



On Tuesday 06 April 2010 05:13:49 am Juraj Hlista wrote:
> The patches were denied, because it can be implemented without
> touching the kernel (in the audit plugin, which I'm working on now)

Yes. It should be possible to set a list of parameters to match against and 
then run auditctl when a match is found. Auditctl can delete by key, so if you 
have a set of rules for a specific reaction, then you can add a key to the 
rules. Then if another rules is matched that would want to delete the rules, 
you can do that. For example, mount might require adding rules, unmount would 
probably delete any watches, but you can make sure everything is gone with a 
second match. Same thing with logon/logoff of a specific user.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]