EXT :Re: Adding enterprise capability - an includeConfig directive for audit.rules?

Steve Grubb sgrubb at redhat.com
Thu Apr 18 13:49:55 UTC 2013 

On Sunday, April 07, 2013 09:16:46 PM Burn Alting wrote:
> Please find attached my patch on this matter.

Thanks for taking this on.


> I essence, /etc/audit/audit.rules is now formed from files (.rules
> suffixed) within /etc/audit/rules.d. The new script /sbin/augenrules is
> executed by from either startup script,  /etc/init.d/auditd
> or /usr/lib/systemd/system/auditd.service before calling auditctl.

One issue that I am concerned about is how this feature gets added to existing 
setups. For example, someone may have a /etc/audit/audit.rules file, then 
upgrade and if there is an empty shipped policy in /etc/audit/audit.d, it will 
erase the installed rules.

So, I think we should have an /etc/sysconfig option that enables augenrules so 
that an admin has to do something to turn this on thus preventing automatic 
deletion of rules.

For systemd, I think we want to ship the service file with the ExecStartPost 
line commented out which then requires an admin to take an action to enable. 
We really don't want unexpected things to happen during an upgrade.
 

> The generated file ensures
>  - the last processed -D directive without an option, if present, is
> emitted  on the first line

In generating rules, we should always start with -D. I can't imagine not 
having it.

>  - the last processed -b directive, if present, is emitted on the second
> line

We probably want the largest in all the processed files.


>  - the last processed -f directive, if present, is emitted on the third
> line

We probably want the largest here, too.

>  - the last processed -e directive, if present, is emitted as the last
> line.

I was thinking that if any of the files try to ask for it to be immutable, then 
it should go at the end.

> The file, /etc/audit/audit.rules, is only updated if it has changed.
> > https://www.redhat.com/mailman/listinfo/linux-audit

That is great, because any write could be an auditable event. At some point we 
also might want to add support for a --check option which does everything 
except overwrite the final rules.

-Steve

More information about the Linux-audit mailing list