From mboxrd@z Thu Jan  1 00:00:00 1970
From: rshaw1@umbc.edu
Subject: Re: RHEL 6 audit.rules question
Date: Thu, 31 Jul 2014 09:58:35 -0400
Message-ID: <144e83098c4a9de1d34cd5504f8ad8cb.squirrel@webmail.umbc.edu>
References: <9bbafff9-6c53-475f-acf0-d0bf8ad07931@me.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s6VDwbfr024305
	for <linux-audit@redhat.com>; Thu, 31 Jul 2014 09:58:37 -0400
Received: from mx4.umbc.edu (mx4.umbc.edu [130.85.25.79])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s6VDwZ09021302
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Thu, 31 Jul 2014 09:58:36 -0400
In-Reply-To: <9bbafff9-6c53-475f-acf0-d0bf8ad07931@me.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Dan White <d_e_white@icloud.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

> On Jul 30, 2014, at 04:33 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:
>>        > Does the system allow for the import/include of groups of rules
>> in other
>>        > files - =EF=BB=BFlike logrotate and /etc/logrotate.d/* ?
>>
>> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where
>> rules
>> can be dropped off. The augenrules utility will "compile" those into a
>> master
>> audit.rules file. You also have to enable augenrules by setting
>> USE_AUGENRULES=3D"yes" in /etc/sysconfig/audit. that is about as close as
>> it
>> comes.
>>
>> -Steve
>
> Thanks for the quick answer.
> Any plans to release 2.3.x to RHEL 6 that can be shared ?

I was able to "backport" this functionality to RHEL6 (and RHEL5) by doing
the following:

- Steal the augenrules script from a Fedora or RHEL7 package
- Use my configuration management system to create and manage files in
/etc/audit/rules.d
- Schedule periodic runs of augenrules

I didn't have to set USE_AUGENRULES (maybe because the older audit system
doesn't know to care?).  It has been working very well for me as a way of
managing differences in audit rules on systems while still keeping things
centralized.

--Ray