[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Adding multiple watch rules on same path



On Tue, Aug 22, 2006 at 11:51:14AM -0400, Steve Grubb wrote:
> On the otherhand, suppose you wrote a system that dynamically alters the audit 
> rules. You could use the keyfield to identify those rules so that you do not 
> have to think about baseline rules the admin may have in place. IOW, you can 
> issue another rule to watch /etc/shadow for writes without checking to see if 
> it already exists. Also, you can delete the rule without worry that you are 
> deleting something the admin wants there as baseline.

I think it's useful to keep it, especially if it already works now.  A
file may need auditing for multiple overlapping reasons, and it's nice to
get consistent results in that case.

It's a feature beyond what CAPP/LSPP requires and it's only available to
admins, so there is no need to specifically test these combinations if
you're just going for CC compliance.

-Klaus


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]