Re: EXT :Re: Adding enterprise capability - an includeConfig directive for audit.rules?

From: Burn Alting <burn@swtf.dyndns.org>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: EXT :Re: Adding enterprise capability - an includeConfig directive for audit.rules?
Date: Fri, 19 Apr 2013 07:23:53 +1000	[thread overview]
Message-ID: <1366320233.29573.7.camel@swtf.swtf.dyndns.org> (raw)
In-Reply-To: <4497231.pB45ekPeTa@x2>

Steve,

I will make the changes on the weekend and re-submit.

Rgds
On Thu, 2013-04-18 at 09:49 -0400, Steve Grubb wrote:
> On Sunday, April 07, 2013 09:16:46 PM Burn Alting wrote:
> > Please find attached my patch on this matter.
> 
> Thanks for taking this on.
> 
> 
> > I essence, /etc/audit/audit.rules is now formed from files (.rules
> > suffixed) within /etc/audit/rules.d. The new script /sbin/augenrules is
> > executed by from either startup script,  /etc/init.d/auditd
> > or /usr/lib/systemd/system/auditd.service before calling auditctl.
> 
> One issue that I am concerned about is how this feature gets added to existing 
> setups. For example, someone may have a /etc/audit/audit.rules file, then 
> upgrade and if there is an empty shipped policy in /etc/audit/audit.d, it will 
> erase the installed rules.
> 
> So, I think we should have an /etc/sysconfig option that enables augenrules so 
> that an admin has to do something to turn this on thus preventing automatic 
> deletion of rules.
> 
> For systemd, I think we want to ship the service file with the ExecStartPost 
> line commented out which then requires an admin to take an action to enable. 
> We really don't want unexpected things to happen during an upgrade.
>  
> 
> > The generated file ensures
> >  - the last processed -D directive without an option, if present, is
> > emitted  on the first line
> 
> In generating rules, we should always start with -D. I can't imagine not 
> having it.
> 
> >  - the last processed -b directive, if present, is emitted on the second
> > line
> 
> We probably want the largest in all the processed files.
> 
> 
> >  - the last processed -f directive, if present, is emitted on the third
> > line
> 
> We probably want the largest here, too.
> 
> >  - the last processed -e directive, if present, is emitted as the last
> > line.
> 
> I was thinking that if any of the files try to ask for it to be immutable, then 
> it should go at the end.
> 
> > The file, /etc/audit/audit.rules, is only updated if it has changed.
> > > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> That is great, because any write could be an auditable event. At some point we 
> also might want to add support for a --check option which does everything 
> except overwrite the final rules.
> 
> -Steve