2nd Round AuditRules Questions
Joe Wulf
joe_wulf at yahoo.com
Wed Jan 20 00:22:11 UTC 2021
1. The rules for monitoring '/etc/passwd', '/etc/shadow', '/etc/group', '/etc/gshadow' exist. Shouldn't corresponding rules also exist for the same four files which also have a dash/hyphen appended to them (i.e. '/etc/passwd-', etc...)?
2. By adding 'audit=1' to grub kernel boot param's---can I then safely eliminate this piece from all audit rules: '-F auid!=4294967295'?Conversely, what harm would it do to 'just leave it'? It would, in some cases, satisfy certain vulnerability scanning tools seeking exact syntax compliance, right?
Thank you.
R,-Joe Wulf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210120/b8718043/attachment.htm>
More information about the Linux-audit
mailing list