[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: user audits



On Fri, 2010-12-03 at 10:54 -0500, Steve Grubb wrote:
> On Friday, December 03, 2010 10:40:37 am LC Bruzenak wrote:
> > Would there be any issue with adding a couple new trusted_application
> > event types? Would any kernel mods be needed to support this?
> 
> Are these events originating in user space or the kernel? I might be convinced to set 
> aside the block of IDs from 2600 - 2699 for local use if a suitable framework were 
> written. This would mean that there is some config file that holds the local mapping of 
> event IDs to text and ausearch/report/parse will need to be patched to understand 
> local definitions.

Great!
>From user space only. Analogous to signal handling of SIGUSR1, SIGUSR2
where the framework supports the user-implemented pieces. 

I was thinking ausearch/auparse would treat all the TRUSTED_APPs the
same...since they (currently) fails to parse these correctly anyway
IMHO. :)

Everything else could treat the additional user types exactly as they do
the TRUSTED_APP event now. When I dig through the events on the back end
I would be able to act differently on the ones I know I've put in place
on the originating end.

> 
> Would you be interested in this approach?

Absolutely! 
I will be starting work on some stuff which could utilize this after the
holidays. If it gets into RHEL6 I would be thrilled!

Thx,
LCB

-- 
LC (Lenny) Bruzenak
lenny magitekltd com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]