audit rules placement
Lev Stipakov
lstipakov at gmail.com
Fri Jan 29 10:37:31 UTC 2016
Hello,
I have a rpm/deb package which includes audisp plugin. In order plugin
to work, I need to permanently add audit rules. It seems that for
Centos/RHEL 7 I need to put those into /etc/audit/rules.d/audit.rules
and for Centos/RHEL6 (and probably Debian / Ubuntu?) it is
/etc/audit/audit.rules.
I noticed however that at least on Centos 7 I could put my rules into
/etc/audit/rules.d/plugin.rules and they will be picked on auditd
restart and added to /etc/audit/audit.rules. This does not work on
Debian 8 - even though it has ruled.d directory only rules from
/rules.d/audit.rules are used.
Is there some kind of "official" guidance to where I should put my rules
on Centos/RHEL/Debian/Ubuntu ?
-Lev
More information about the Linux-audit
mailing list