Adding enterprise capability - an includeConfig directive for audit.rules?

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Burn Alting <burn@swtf.dyndns.org>
To: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Adding enterprise capability - an includeConfig directive for audit.rules?
Date: Wed, 27 Mar 2013 20:38:07 +1100	[thread overview]
Message-ID: <1364377087.31258.25.camel@swtf.swtf.dyndns.org> (raw)

All,

Has anyone considered allowing an includeConfig statement for
audit.rules (or auditd.conf if need be)?

The action would be to, at that point in the parse (or the end of the
file, if auditd.conf holds the directive), open the nominated directory
and any files within, and parse them.

The idea is to allow for localization of audit. At an enterprise level
one would deploy the common, corporate set of rules
in /etc/audit/audit.rules. Should a local system need additional rules
such as tailored file watches, workstation or capability specific
monitoring, these could appear in files in the includeConfig directory.
That way, distribution mechanisms such as puppet, rpm satellite server,
apt repositories, etc can maintain the corporate set of rules without
changing localized configurations on updates.

I'm happy to author this.

Regards
Burn Alting

next             reply	other threads:[~2013-03-27  9:38 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-27  9:38 Burn Alting [this message]
2013-04-02 18:03 ` Adding enterprise capability - an includeConfig directive for audit.rules? Steve Grubb
2013-04-03 10:37   ` Burn Alting
2013-04-03 11:42     ` Steve Grubb
2013-04-03 13:19       ` EXT :Re: " Boyce, Kevin P. (AS)
2013-04-03 20:19         ` Burn Alting
2013-04-07 11:16           ` Burn Alting
2013-04-18 13:49             ` Steve Grubb
2013-04-18 21:23               ` Burn Alting
2013-04-19 10:53                 ` Steve Grubb
2013-04-24 20:37                   ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1364377087.31258.25.camel@swtf.swtf.dyndns.org \
    --to=burn@swtf.dyndns.org \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox