What I'm thinking right now is to create the possibility to create a "tagdb", independently from the patterndb database (although they must play hand-in-hand).
This tagdb would define the tag hierarch (tags in bunches basically) and could perhaps also associate type with the tags.
That would be really nice, but it sounds like a lot of effort will be required on your part. Still, sounds good if you're up for the maintenance.
<tagdb> <bunch name="security"> <tag type="object" name="flowevt"/> <tag type="action" name="secevt"/> </bunch> <bunch name="storage"> <tag type="object" name="file"/> <tag type="object" name="database"/> </bunch> <tag type="class" name="violation"/> <tag type="class" name="security"/> <tag type="class" name="system"/> <tag type="class" name="unknown"/> <tag name="just-a-simple-tag-without-type"/> </tagdb>
This seems workable, but to me, all that is required is a standard list of classes and tags to use as a guide for contributions. People can pick the most important tag to be the class name, and then just apply the rest as tags. A worthwhile discussion could take place on whether the most general or most specific tag should be used for the class. This format would still comply with the CEE requirements as long as all of the tags needed are present. So, it would look more like: .classifier.class="security" <tags> <tag>flowevt</tag> <!--object--> <tag>deny</tag> <!--action--> <tag>success</tag> <!--status--> </tags> Or, you could be explicity with the CEE values: <tag>object.flowevt</tag>
For some reason I rather like type tags, even though it is somewhat more bureaucratic: users/pattern authors should be free to create their tags without limitation.
Opinions?
I agree.