Re: [PATCH] audit: Reactive rules

From: Juraj Hlista
Date: Wed Mar 31 2010 - 03:26:43 EST

Next message: Jiri Olsa: "Re: [PATCHv3 0/2] tracing: function graph output forpreempt/irqs-off tracers"
Previous message: Stefan Bader: "Re: [stable] patch iwlwifi-silence-tfds_in_queue-message.patch addedto 2.6.32-stable tree"
In reply to: Al Viro: "Re: [PATCH] audit: Reactive rules"
Next in thread: Miloslav Trmac: "Re: [PATCH] audit: Reactive rules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 31, 2010 at 12:23 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> On Wed, Mar 31, 2010 at 12:17:11AM +0200, Juraj Hlista wrote:
>> From: Juraj Hlista <juro.hlista@xxxxxxxxx>
>>
>> Add support for reactive rules. An audit rule can contain more than one reaction. The reactions are identified by numbers in the kernel and by strings in the user space.
>
> Huh? ÂWe already have a way to associate a unique key with a rule; what does
> that patch offer that can't be happily handled by userland with what we
> already have?
>
If the key was used to associate reactions with a rule, it could be
done, for example, by adding "react-" prefix to the key (-F
key=react-r1). In order to detect if there was a match found with a
reactive rule, every single audit event would have to be checked
whether it includes the key with "react-" prefix, which is not
effective.

There is no need parsing audit events and check if they have such a
key. When there was found a match with a reactive rule, the patch adds
a new record at the beginning of an audit event, for example:

type=REACT_RULE msg=audit(1270026004.497:4): react=1
type=SYSCALL msg=audit(1270026004.497:4): arch=c000003e syscall=2
success=yes exit=3 a0=7fff8022f767 a1=941 a2=1b6 a3=7fff8022e040
items=2 ppid=2777 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="touch"
exe="/bin/touch" key=(null)
type=CWD msg=audit(1270026004.497:4): cwd="/root"
type=PATH msg=audit(1270026004.497:4): item=0 name="/tmp/" inode=8112
dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1270026004.497:4): item=1 name="/tmp/file"
inode=9400 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00

The user space only checks the type of the record instead of parsing
it and looking for the keys. The REACT_RULE record has only a list of
reactions - mapping reaction numbers to strings is described in:

https://www.redhat.com/archives/linux-audit/2010-March/msg00040.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jiri Olsa: "Re: [PATCHv3 0/2] tracing: function graph output forpreempt/irqs-off tracers"
Previous message: Stefan Bader: "Re: [stable] patch iwlwifi-silence-tfds_in_queue-message.patch addedto 2.6.32-stable tree"
In reply to: Al Viro: "Re: [PATCH] audit: Reactive rules"
Next in thread: Miloslav Trmac: "Re: [PATCH] audit: Reactive rules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]