All of lore.kernel.org
 help / color / mirror / Atom feed
From: Klaus Weidner <klaus@atsec.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Adding multiple watch  rules on same path
Date: Tue, 22 Aug 2006 13:30:01 -0500	[thread overview]
Message-ID: <20060822183001.GA4233@w-m-p.com> (raw)
In-Reply-To: <200608221151.14150.sgrubb@redhat.com>

On Tue, Aug 22, 2006 at 11:51:14AM -0400, Steve Grubb wrote:
> On the otherhand, suppose you wrote a system that dynamically alters the audit 
> rules. You could use the keyfield to identify those rules so that you do not 
> have to think about baseline rules the admin may have in place. IOW, you can 
> issue another rule to watch /etc/shadow for writes without checking to see if 
> it already exists. Also, you can delete the rule without worry that you are 
> deleting something the admin wants there as baseline.

I think it's useful to keep it, especially if it already works now.  A
file may need auditing for multiple overlapping reasons, and it's nice to
get consistent results in that case.

It's a feature beyond what CAPP/LSPP requires and it's only available to
admins, so there is no need to specifically test these combinations if
you're just going for CC compliance.

-Klaus

      reply	other threads:[~2006-08-22 18:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-22 15:32 Adding multiple watch rules on same path Loulwa Salem
2006-08-22 15:51 ` Steve Grubb
2006-08-22 18:30   ` Klaus Weidner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060822183001.GA4233@w-m-p.com \
    --to=klaus@atsec.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.