On Fri, 11 Aug 2006, Kenneth Porter wrote: > --On Wednesday, August 09, 2006 7:33 PM -0700 jdow <[EMAIL PROTECTED]> > wrote: > > > For about a femto-second, perhaps. There is too much YMMV > > involved with the SARE rule sets to make it practical as > > an rpm solution. > > True, this is the real problem with packaging SARE: There's no > clear separation of configuration so that a single update package > can serve all users.
How about: install ALL of the current SARE rules into a directory that SA does not look at (/usr/lib/SARE perhaps?), and set up RDJ or whatever to update them there, and in order to use a particular SARE ruleset the admin goes into the SA config directory and creates a symlink to the desired ruleset file(s). You could even write a pointy-clicky-gooey thingy to put a pretty face on activating/deactivating the rulesets: a list of the available rules, with their descriptions, caveats, masscheck results, and so forth, and a checkbox that indicates whether or not a symlink exists to expose that rule to SA. -- John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- People seem to have this obsession with objects and tools as being dangerous in and of themselves, as though a weapon will act of its own accord to cause harm. A weapon is just a force multiplier. It's *humans* that are (or are not) dangerous. -----------------------------------------------------------------------
