Duplicate Rule situation
Richard Guy Briggs
rgb at redhat.com
Mon Jun 21 16:57:01 UTC 2021
On 2021-06-21 12:52, warron.french wrote:
> Does anybody know if I put the following two rules into the same
> audit.rules file and reboot the server will we end up with some broken
> rules?
>
> -w /etc/audit/ -p a -k watch_audit
> -w /etc/audit/rules.d/ -p a -k watch_audit
>
> Will this cause a problem due to duplicate rules?
These are two distinct rules, but redundant, so there won't be any
conflict, but the second rule will never trigger.
If you want finer grained triggering under one rule, likely with a
different key, try instead something like:
-w /etc/audit/rules.d/ -p a -k watch_audit_rules_d
-w /etc/audit/ -p a -k watch_audit
> Warron French
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list