Adding multiple watch rules on same path
Klaus Weidner
klaus at atsec.com
Tue Aug 22 18:30:01 UTC 2006
On Tue, Aug 22, 2006 at 11:51:14AM -0400, Steve Grubb wrote:
> On the otherhand, suppose you wrote a system that dynamically alters the audit
> rules. You could use the keyfield to identify those rules so that you do not
> have to think about baseline rules the admin may have in place. IOW, you can
> issue another rule to watch /etc/shadow for writes without checking to see if
> it already exists. Also, you can delete the rule without worry that you are
> deleting something the admin wants there as baseline.
I think it's useful to keep it, especially if it already works now. A
file may need auditing for multiple overlapping reasons, and it's nice to
get consistent results in that case.
It's a feature beyond what CAPP/LSPP requires and it's only available to
admins, so there is no need to specifically test these combinations if
you're just going for CC compliance.
-Klaus
More information about the Linux-audit
mailing list