PF ring support in argus
Russell Fulton
r.fulton at auckland.ac.nz
Fri Oct 12 15:28:27 EDT 2007
Carter Bullard wrote:
> Gentle people,
> So, we don't really need to do anything in argus, as it seems
> to be driven by environment variables (assuming your using
> the shared library strategy). But that doesn't sound very
> elegant.
>
> So I can add to argus.conf:
>
> ARGUS_ENV="name=value"
>
> And we can allow for any environment variable to be set?
> Is this dangerous? I'm thinking that its pretty benign, as long
> as we're careful on buffer overflow etc...., but it also would be
> trivial to allow only specific environment variables? I'm sure
> that someone will think that its dangerous, but in the
> Bell-Lapadula scheme of things, it probably is not a real issue.
Seems pretty benign to me (assuming sensible programming practice are
followed and we all trust Carter in that department ;).
Having everything in the config file is certainly much tidier. I have
had occasions where I have installed the modified pcap and bungled
setting the environment variable and discovered it months later.
Mind you if I ever get bcfg2 properly set up to manage my sensors all
the things like /etc/bashrc will be centrally managed too. For those
who have not come across it bcfg2 is a rather nice configuration
management tool from ANL: http://trac.mcs.anl.gov/projects/bcfg2
BTW the reason I have gone with this method and not the kernel mods like
Peter is that I don't have anyone to build custom kernels for me and I
don't have time to do it myself.
And, lastly, thanks to Jason for pointing out the README.ring file in
the distro. I had missed that. sigh...
Russell
More information about the argus
mailing list