Monitoring files
F Rafi
farhanible at gmail.com
Wed Apr 25 14:06:13 UTC 2018
Warron,
> Furthermore, where would I add the -i switch to a rule like this one:
You basically put a "-i" on a separate line by itself afaik somewhere at
the top of the audit rules file. All the rules below the -i line will not
cause a load failure (Steve and RGB can confirm).
Farhan
On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2018-04-24 18:04, warron.french wrote:
> > Furthermore, where would I add the -i switch to a rule like this one:
> >
> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> > auid!=4294967295 -k privileged
>
> I'm not aware of any per-rule switches to permit failure to load to be
> non-fatal. I was suggesting it might help in your situation to add such
> a feature, but I think the better solution is a customized rule set for
> each machine or type of machine.
>
> > ??
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french at gmail.com>
> > wrote:
> >
> > > Mr. Briggs/Rafi,
> > >
> > > I don't see the -i switch even mentioned in the manpage for
> audit.rules.
> > > Is this a documented switch, or not yet a capability on Red Hat or
> CentOS
> > > systems?
> > >
> > > Thanks in advance,
> > >
> > > --------------------------
> > > Warron French
> > >
> > >
> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb at redhat.com>
> > > wrote:
> > >
> > >> On 2018-04-23 23:41, F Rafi wrote:
> > >> > Adding a -i to the rules file should ignore any errors.
> > >>
> > >> At risk of feature creep, it might be nice to have a flag to ignore
> > >> certain rules but not others, a way to tag individual rules with
> either
> > >> a must, or a different tag with "ignore if not present" for file
> rules.
> > >>
> > >> > -Farhan
> > >> >
> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> warron.french at gmail.com>
> > >> wrote:
> > >> > > Hi, I have a requirement to monitor a ton of files, executables
> and
> > >> confug
> > >> > > files.
> > >> > >
> > >> > > Anyway, not all of my systems have every file in the list; and
> when I
> > >> add
> > >> > > the rules appropriate, either as a Watch (-w) rule or as an Action
> > >> (-a)
> > >> > > rule, the rules stop loading when the find a rule that has a file
> that
> > >> > > doesn't exist *on that particular system*.
> > >> > >
> > >> > > This is the intended effect, yes?
> > >> > >
> > >> > > Thanks in advance,
> > >> > > --------------------------
> > >> > > Warron French
> > >>
> > >> - RGB
> > >>
> > >> --
> > >> Richard Guy Briggs <rgb at redhat.com>
> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > >> Remote, Ottawa, Red Hat Canada
> > >> IRC: rgb, SunRaycer
> > >> Voice: +1.647.777.2635, Internal: (81) 32635
> > >>
> > >
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180425/96397471/attachment.htm>
More information about the Linux-audit
mailing list