some ideas to flesh out more of vfs_full_audit's end all, be all, capabilities list... # currently possible but not sexy full_audit:success = <list all 90 some ops, minus a few> full_audit:failure = all # it would be slick to have something like this to skip # common or uninteresting entries. a little code added # to init_bitmap() should do the trick nicely. full_audit:success = all !readdir !telldir !closedir full_audit:failure = all # for even more fun, add op classes that can be added to # or redefined by the user. and have the definitions # be additive as they are parsed rather than splitting the # conf lines with \ if that's even possible. full_audit:oc = noise = readdir telldir closedir ... full_audit:oc = always = create delete rename ... full_audit:oc = ifspace = chmod ... full_audit:oc = because = oc_ifspace oc_noise connect full_audit:success = all !oc_noise !oc_ifspace or full_audit:success = oc_always oc_ifspace # and log to a file in do_log() without going through syslog. full_audit:logfile = /<wherever> full_audit:logfile = log.full_audit # no anchor, puts in usual logdir
bump. thx.
Created attachment 5353 [details] proposed patch This patch _may_ implement the ! idea. However I cannot test the patch as I am suffering from Bug #6557 when testing on master.
Created attachment 5381 [details] Tested patch Tested patch, including manpage update
Created attachment 5408 [details] Enable negated ops, and allow opclasses This adds operation class support, and includes the changes from the former patch.
A few words on the last patch. It implements VFS operation classes by having the user to define a list of classes he implements. For example : full_audit:classes = SMBTrafficAnalyzerV1 Important Here, the user declares two classes. The user must then define the classes as for example: full_audit:SMBTrafficAnalyzerV1 = pread read pwrite write full_audit:Important = mkdir The user might then do the following: full_audit:success = SMBTrafficAnalyzerV1 !Important Classes can include classes on their own. We parse recursivly through them. However, should the user have an ill-fated class setup, like: full_audit:classes = SMBTrafficAnalyzerV1 Important full_audit:SMBTrafficAnalyzerV1 = pread read pwrite write Important full_audit:Important = mkdir !SMBTrafficAnalyzerV1 full_audit:success = SMBTrafficAnalyzerV1 we will stop scanning the classes after a recurse depth of level 20. This allows for relativly complex class scenarios, while making sure that self repeating class setups are disabled.
Wow, that's freaking complex. I need to very closely look at it. My initial reaction is "Why not link perl or python into that, this might do the same....". Volker
Comment on attachment 5408 [details] Enable negated ops, and allow opclasses Hi, Holger! As already discussed on irc: I think these classes are a bit over the top. This is code that we need to carry forever. We haven't come up with an example where the classes solve problems that can't be solved without them with a potentially more verbose configuration. I do see the point of having the !. If we can get a patch that does only that, I think it would be perfect. This would be very easy do explain, the code should be equally trivial. Thanks for looking at this! Volker
Volker, I understood, and I am fine with it. See in comment #3 the patch implementing exactly only the ! idea.
Created attachment 5431 [details] patch Holger, I think this patch simplifies the logic in init_bitmap a bit. What do you think? Volker
Comment on attachment 5431 [details] patch Volker, thank you! Tested the patch another time, works, and I am fine with your changes!
Comment on attachment 5381 [details] Tested patch Pushed the alternative patch
Holger, please re-open and assign to Karolin if you want this in 3.5.1. Otherwise it will be in 3.6.
Reopening for reassignment
Reassigning to Karolin for inclusion into 3.5.1
As this is an enhancement and not a bug fix, I would prefer to put it in 3.6.0 instead of 3.5.1. Closing out bug report as patch has been pushed to master and 3.6 branches have not been created yet. Thanks a lot!