Monitoring files
Richard Guy Briggs
rgb at redhat.com
Wed Apr 25 00:43:37 UTC 2018
On 2018-04-24 18:04, warron.french wrote:
> Furthermore, where would I add the -i switch to a rule like this one:
>
> -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be
non-fatal. I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.
> ??
>
> --------------------------
> Warron French
>
>
> On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french at gmail.com>
> wrote:
>
> > Mr. Briggs/Rafi,
> >
> > I don't see the -i switch even mentioned in the manpage for audit.rules.
> > Is this a documented switch, or not yet a capability on Red Hat or CentOS
> > systems?
> >
> > Thanks in advance,
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb at redhat.com>
> > wrote:
> >
> >> On 2018-04-23 23:41, F Rafi wrote:
> >> > Adding a -i to the rules file should ignore any errors.
> >>
> >> At risk of feature creep, it might be nice to have a flag to ignore
> >> certain rules but not others, a way to tag individual rules with either
> >> a must, or a different tag with "ignore if not present" for file rules.
> >>
> >> > -Farhan
> >> >
> >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french at gmail.com>
> >> wrote:
> >> > > Hi, I have a requirement to monitor a ton of files, executables and
> >> confug
> >> > > files.
> >> > >
> >> > > Anyway, not all of my systems have every file in the list; and when I
> >> add
> >> > > the rules appropriate, either as a Watch (-w) rule or as an Action
> >> (-a)
> >> > > rule, the rules stop loading when the find a rule that has a file that
> >> > > doesn't exist *on that particular system*.
> >> > >
> >> > > This is the intended effect, yes?
> >> > >
> >> > > Thanks in advance,
> >> > > --------------------------
> >> > > Warron French
> >>
> >> - RGB
> >>
> >> --
> >> Richard Guy Briggs <rgb at redhat.com>
> >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> Remote, Ottawa, Red Hat Canada
> >> IRC: rgb, SunRaycer
> >> Voice: +1.647.777.2635, Internal: (81) 32635
> >>
> >
> >
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list