Re: Watching over non-existent folder to maintain a generic audit.rules file

[Steve Grubb <sgrubb@redhat.com>]

On Tuesday, July 28, 2015 05:26:18 PM Florian Crouzat wrote:
> Unfortunately, I do not only watch over system-related files and folders
> but also applicative ones (eg custom path where some private keys are
> stored, etc) ..
> My problem is that these folders do not exists on all hosts thus making
> it impossible to write a generic audit.rules files.

What kernel are you using? And user space package?


> As I said, I have thousands of hosts and I can't imagine deploying
> different files on every hosts depending on the profile of the host.
> I know puppet could help me for this kind of stuff but I don't have it
> yet and even though, it would be difficult to configure.

As of the 2.3 user space release, there is a utility, augenrules which takes 
files in /etc/audit/rules.d/ and compiles them into an audit.rules file. So, it 
would be possible for you to package up some rules for bind and install them 
when you install bind and have your package install a 
/etc/audit/rules.d/bind.rules file. You can have a base config, and then one for 
each kind of daemon or role that the machine serves.


> How do you guys usually workaround this issue ? I'm pretty sure I'm not
> the first one wanting to deploy a generic hardening across many hosts
> (but maybe I'm the only one using auditd to watch over something else
> than pure system-related stuff?

Others can chime in here.

-Steve