Monitoring files

Steve Grubb sgrubb at redhat.com
Wed Apr 25 00:24:34 UTC 2018 

On Tuesday, April 24, 2018 7:45:15 PM EDT warron.french wrote:
>  Mr. Briggs/Rafi,
> 
> I don't see the -i switch even mentioned in the manpage for audit.rules.
> Is this a documented switch, or not yet a capability on Red Hat or CentOS
> systems?

All audit commands are documented in the auditctl man page. When rules load, 
auditctl processes them as if you typed them in one by one via auditctl. Its 
just that you do not need to type auditctl on each line of the rules.

-Stev

> --------------------------
> Warron French
> 
> On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > On 2018-04-24 18:03, warron.french wrote:
> > > Mr. Briggs/Rafi,
> > 
> > I think you forgot to reply to the list (preferred) and/or Rafi.
> > 
> > > I don't see the -i switch even mentioned in the manpage for
> > > audit.rules.
> > > Is this a documented switch, or not yet a capability on Red Hat or
> > > CentOS
> > > systems?
> > > 
> > > Thanks in advance,
> > > 
> > > --------------------------
> > > Warron French
> > > 
> > > 
> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb at redhat.com>
> > 
> > wrote:
> > > > On 2018-04-23 23:41, F Rafi wrote:
> > > > > Adding a -i to the rules file should ignore any errors.
> > > > 
> > > > At risk of feature creep, it might be nice to have a flag to ignore
> > > > certain rules but not others, a way to tag individual rules with
> > > > either
> > > > a must, or a different tag with "ignore if not present" for file
> > > > rules.
> > > > 
> > > > > -Farhan
> > > > > 
> > > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> > 
> > warron.french at gmail.com>
> > 
> > > > wrote:
> > > > > > Hi, I have a requirement to monitor a ton of files, executables
> > > > > > and
> > > > 
> > > > confug
> > > > 
> > > > > > files.
> > > > > > 
> > > > > > Anyway, not all of my systems have every file in the list; and
> > 
> > when I
> > 
> > > > add
> > > > 
> > > > > > the rules appropriate, either as a Watch (-w) rule or as an
> > > > > > Action
> > 
> > (-a)
> > 
> > > > > > rule, the rules stop loading when the find a rule that has a file
> > 
> > that
> > 
> > > > > > doesn't exist *on that particular system*.
> > > > > > 
> > > > > > This is the intended effect, yes?
> > > > > > 
> > > > > > Thanks in advance,
> > > > > > --------------------------
> > > > > > Warron French
> > > > 
> > > > - RGB
> > > > 
> > > > --
> > > > Richard Guy Briggs <rgb at redhat.com>
> > > > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > > Remote, Ottawa, Red Hat Canada
> > > > IRC: rgb, SunRaycer
> > > > Voice: +1.647.777.2635, Internal: (81) 32635
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb at redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list