Monitoring files

Wed Apr 25 17:01:11 UTC 2018

Thanks *F Rafi.*

*Steve*, does the "-i" flag go on a line simply by itself?

And so the benefit of this switch is that for rules applied through the
audit.rules file; that are monitoring files - wherein the files are not on
the system will do which:
1.  Not load the rule, skip to the next rule and load it if possible?
2. Load the rule, but will simply not indicate an error at all?

Therefore all rules that can be loaded will be loaded (if the files are in
place) and those that don't actually have their files to monitor will
simply not be added to the chain of rules?

Thanks for the explanation,

--------------------------
Warron French

On Wed, Apr 25, 2018 at 10:06 AM, F Rafi <farhanible at gmail.com> wrote:

> Warron,
>
> > Furthermore, where would I add the -i switch to a rule like this one:
>
> You basically put a "-i" on a separate line by itself afaik somewhere at
> the top of the audit rules file. All the rules below the -i line will not
> cause a load failure (Steve and RGB can confirm).
>
> Farhan
>
> On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb at redhat.com> wrote:
>
>> On 2018-04-24 18:04, warron.french wrote:
>> > Furthermore, where would I add the -i switch to a rule like this one:
>> >
>> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
>> > auid!=4294967295 -k privileged
>>
>> I'm not aware of any per-rule switches to permit failure to load to be
>> non-fatal.  I was suggesting it might help in your situation to add such
>> a feature, but I think the better solution is a customized rule set for
>> each machine or type of machine.
>>
>> > ??
>> >
>> > --------------------------
>> > Warron French
>> >
>> >
>> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french at gmail.com
>> >
>> > wrote:
>> >
>> > > Mr. Briggs/Rafi,
>> > >
>> > > I don't see the -i switch even mentioned in the manpage for
>> audit.rules.
>> > > Is this a documented switch, or not yet a capability on Red Hat or
>> CentOS
>> > > systems?
>> > >
>> > > Thanks in advance,
>> > >
>> > > --------------------------
>> > > Warron French
>> > >
>> > >
>> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb at redhat.com>
>> > > wrote:
>> > >
>> > >> On 2018-04-23 23:41, F Rafi wrote:
>> > >> > Adding a -i to the rules file should ignore any errors.
>> > >>
>> > >> At risk of feature creep, it might be nice to have a flag to ignore
>> > >> certain rules but not others, a way to tag individual rules with
>> either
>> > >> a must, or a different tag with "ignore if not present" for file
>> rules.
>> > >>
>> > >> > -Farhan
>> > >> >
>> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
>> warron.french at gmail.com>
>> > >> wrote:
>> > >> > > Hi, I have a requirement to monitor a ton of files, executables
>> and
>> > >> confug
>> > >> > > files.
>> > >> > >
>> > >> > > Anyway, not all of my systems have every file in the list; and
>> when I
>> > >> add
>> > >> > > the rules appropriate, either as a Watch (-w) rule or as an
>> Action
>> > >> (-a)
>> > >> > > rule, the rules stop loading when the find a rule that has a
>> file that
>> > >> > > doesn't exist *on that particular system*.
>> > >> > >
>> > >> > > This is the intended effect, yes?
>> > >> > >
>> > >> > > Thanks in advance,
>> > >> > > --------------------------
>> > >> > > Warron French
>> > >>
>> > >> - RGB
>> > >>
>> > >> --
>> > >> Richard Guy Briggs <rgb at redhat.com>
>> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> > >> Remote, Ottawa, Red Hat Canada
>> > >> IRC: rgb, SunRaycer
>> > >> Voice: +1.647.777.2635, Internal: (81) 32635
>> > >>
>> > >
>> > >
>>
>> - RGB
>>
>> --
>> Richard Guy Briggs <rgb at redhat.com>
>> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> Remote, Ottawa, Red Hat Canada
>> IRC: rgb, SunRaycer
>> Voice: +1.647.777.2635, Internal: (81) 32635
>>
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180425/9a320a5b/attachment.htm>