adding rules after setting rules immutable
Richard Guy Briggs
rgb at redhat.com
Thu Sep 8 16:16:41 UTC 2016
On 2016-09-08 09:52, Steve Grubb wrote:
> On Thursday, September 8, 2016 9:42:09 AM EDT warron.french wrote:
> > While working with RHEL-6 and RHEL-7 systems, and understanding that you
> > can set rules to immutable by adding *-e 2* to the end of the audit.rules
> > file(s) I realized something.
> >
> > If I want to add rules to a system due to new IT Governance, I might have
> > to reboot every machine that gets the newly added rules.
>
> Yes, you need to reboot. This is what immutable means - no changes allowed
> during runtime.
>
> > Is this true, or can I get away with simply executing, on both versions of
> > RHEL (6 and 7):
> > augenrules --check
> > augenrules --load
>
> These will fail.
Warron, it isn't userspace that is gating this. Once immutable is set,
the kernel simply stops listening to any changes requested. Once
userspace invokes this command, it is powerless to change it until the
next boot.
> > I ask, because I want to write some puppet code that is smart enough to
> > ensure the rules are put into place. Do I really have to reboot a server
> > in the middle of a work day or can I work around it with the use of the
> > *augenrules* commands as listed above?
>
> This is what immutable does. If you need flexibility to change rules at will,
> then you should comment out or delete the -e 2 at the end.
>
> -Steve
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list