Gary Winiger wrote: ... >>>> Or for that matter, a series of events? >>>> >>>> And how would this be done in real time? >>>> >>> You'd write an auditd plugin. >>> >>> Real time alarming (i.e. noticing a set of events and taking >>> some action) is a future project. Unless you're looking to >>> do it as part of IPFilter..... >>> >> Which plugin interfaces would be used? > > The Contracted Project Private ones from PSARC/2002/150 > We'd love to get enough experience with them to be able > to raise the commitment level. Would you like to be the > first non-Audit team member to use them? If so, see me ;-)
I think I could be that person :) And hopefully email is ok for "see me", for now. >> The man page for auditd talks about audit_warn, >> but there is no suggestion of any plugin capabilities. > > See audit_control(4) which describes how to configure > auditd to use particular plugins. See audit_binfile(5) > and audit_syslog(5) for the existant plugins So as a prospective user of audit_control(4), it looks like it could do with some work to be more user/developer friendly. Are there plans to improve this interface as a part of other work? For example, if an external package wants to deliver a plugin for auditd, is a change to /etc/security/audit_control required or should auditd be able to read in extra configuration bits that are delivered as part of the new package in a separate file? (The cleanup is also thus easier to handle.) Darren
