From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: Monitoring files
Date: Tue, 24 Apr 2018 21:40:37 -0400 [thread overview]
Message-ID: <4017531.u0FdrI09fj@x2> (raw)
In-Reply-To: <CAJdJdQmgE3rYD31Ova2MVYtyH7EWTvvV0juZrSBkBTaLshd5DQ@mail.gmail.com>
On Tuesday, April 24, 2018 9:12:49 PM EDT warron.french wrote:
> Steve, I did a search on the manpage for auditctl and there was no
> references to any -i switch;
> of course it could be because the version we are on might be too old in
> comparison.
This is what the auditctl man page says from audit-1.0.16:
-i Ignore errors when reading rules from a file
I hope you are not using anything less than that.
-Steve
> On Tue, Apr 24, 2018 at 8:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2018-04-24 18:04, warron.french wrote:
> > > Furthermore, where would I add the -i switch to a rule like this one:
> > >
> > > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> > > auid!=4294967295 -k privileged
> >
> > I'm not aware of any per-rule switches to permit failure to load to be
> > non-fatal. I was suggesting it might help in your situation to add such
> > a feature, but I think the better solution is a customized rule set for
> > each machine or type of machine.
> >
> > > ??
> > >
> > > --------------------------
> > > Warron French
> > >
> > >
> > > On Tue, Apr 24, 2018 at 6:03 PM, warron.french
> > > <warron.french@gmail.com>
> > >
> > > wrote:
> > > > Mr. Briggs/Rafi,
> > > >
> > > > I don't see the -i switch even mentioned in the manpage for
> >
> > audit.rules.
> >
> > > > Is this a documented switch, or not yet a capability on Red Hat or
> >
> > CentOS
> >
> > > > systems?
> > > >
> > > > Thanks in advance,
> > > >
> > > > --------------------------
> > > > Warron French
> > > >
> > > >
> > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > > >
> > > > wrote:
> > > >> On 2018-04-23 23:41, F Rafi wrote:
> > > >> > Adding a -i to the rules file should ignore any errors.
> > > >>
> > > >> At risk of feature creep, it might be nice to have a flag to ignore
> > > >> certain rules but not others, a way to tag individual rules with
> >
> > either
> >
> > > >> a must, or a different tag with "ignore if not present" for file
> >
> > rules.
> >
> > > >> > -Farhan
> > > >> >
> > > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> >
> > warron.french@gmail.com>
> >
> > > >> wrote:
> > > >> > > Hi, I have a requirement to monitor a ton of files, executables
> >
> > and
> >
> > > >> confug
> > > >>
> > > >> > > files.
> > > >> > >
> > > >> > > Anyway, not all of my systems have every file in the list; and
> >
> > when I
> >
> > > >> add
> > > >>
> > > >> > > the rules appropriate, either as a Watch (-w) rule or as an
> > > >> > > Action
> > > >>
> > > >> (-a)
> > > >>
> > > >> > > rule, the rules stop loading when the find a rule that has a
> > > >> > > file
> >
> > that
> >
> > > >> > > doesn't exist *on that particular system*.
> > > >> > >
> > > >> > > This is the intended effect, yes?
> > > >> > >
> > > >> > > Thanks in advance,
> > > >> > > --------------------------
> > > >> > > Warron French
> > > >>
> > > >> - RGB
> > > >>
> > > >> --
> > > >> Richard Guy Briggs <rgb@redhat.com>
> > > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > >> Remote, Ottawa, Red Hat Canada
> > > >> IRC: rgb, SunRaycer
> > > >> Voice: +1.647.777.2635, Internal: (81) 32635
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2018-04-25 1:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-24 1:19 Monitoring files warron.french
2018-04-24 3:41 ` F Rafi
2018-04-24 15:14 ` Richard Guy Briggs
[not found] ` <CAJdJdQmgw1hPeCas8D_uK9uxWoqUekgx2aiu0RBPwAqYtiYScw@mail.gmail.com>
[not found] ` <20180424223117.kpzra3iisyckuofh@madcap2.tricolour.ca>
2018-04-24 23:45 ` warron.french
2018-04-25 0:24 ` Steve Grubb
[not found] ` <CAJdJdQ=jZ3fvYi_mbPxGQ2Lo3G-GnVBuecEuHhz-i1JzAp=-5w@mail.gmail.com>
2018-04-25 0:43 ` Richard Guy Briggs
2018-04-25 1:12 ` warron.french
2018-04-25 1:40 ` Steve Grubb [this message]
2018-04-25 14:06 ` F Rafi
2018-04-25 17:01 ` warron.french
2018-04-25 21:46 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4017531.u0FdrI09fj@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.