audit.rules file [Was: audit 2.3 released]
Burn Alting
burn at swtf.dyndns.org
Sun May 5 13:32:42 UTC 2013
Laurent,
I think audit.rules should revert back to being installed
to /etc/audit/audit.rules.
This way we maintain Steve's intent, that the use of augenrules
and /etc/audit/rules.d is the result of a conscious decision by an
administrator. IE no inadvertent overwriting of /etc/audit/audit.rules
during an upgrade.
Regards
Burn Alting
On Sun, 2013-05-05 at 11:43 +0200, Laurent Bigonville wrote:
> Le Wed, 01 May 2013 10:29:07 -0400,
> Steve Grubb <sgrubb at redhat.com> a écrit :
>
> > Hi,
> Hello,
>
> [...]
> >
> > Several people have asked for a way to deposit rules into a directory
> > so that based on what is installed, rules can also be added. This
> > makes it easier to have a core system that gets packages, config, and
> > files added to make it a different kind of server or desktop. My
> > guess is that it will be mostly used to add watches on setuid apps
> > which can differ from machine type to machine type.
> >
> > The place where these rules are stored is /etc/audit/rules.d.
> > Compiling rules from that directory will result in a new file being
> > written to /etc/audit/audit.rules. That means it can overwrite
> > existing rules. Since we don't want that to happen by accident,
> > augenrules is disabled by default.
> [...]
>
> The make install rule is now installing audit.rules in
> the /etc/audit/rules.d directory.
>
> What would happen on fresh installation if augenrules call is disabled
> and that /etc/audit/audit.rules is not existing?
>
> Will /etc/audit/rules.d/audit.rules be called as a fallback? Or should
> distributions take care of shipping both /etc/audit/audit.rules
> and /etc/audit/rules.d/audit.rules?
>
> What do you think?
>
> Cheers
>
> Laurent Bigonville
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list