From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Watching over non-existent folder to maintain a generic audit.rules file Date: Tue, 28 Jul 2015 15:23:49 -0400 Message-ID: <1795651.WB0YxzRxgh@x2> References: <55B79F1A.1040207@floriancrouzat.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <55B79F1A.1040207@floriancrouzat.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, July 28, 2015 05:26:18 PM Florian Crouzat wrote: > Unfortunately, I do not only watch over system-related files and folders > but also applicative ones (eg custom path where some private keys are > stored, etc) .. > My problem is that these folders do not exists on all hosts thus making > it impossible to write a generic audit.rules files. What kernel are you using? And user space package? > As I said, I have thousands of hosts and I can't imagine deploying > different files on every hosts depending on the profile of the host. > I know puppet could help me for this kind of stuff but I don't have it > yet and even though, it would be difficult to configure. As of the 2.3 user space release, there is a utility, augenrules which takes files in /etc/audit/rules.d/ and compiles them into an audit.rules file. So, it would be possible for you to package up some rules for bind and install them when you install bind and have your package install a /etc/audit/rules.d/bind.rules file. You can have a base config, and then one for each kind of daemon or role that the machine serves. > How do you guys usually workaround this issue ? I'm pretty sure I'm not > the first one wanting to deploy a generic hardening across many hosts > (but maybe I'm the only one using auditd to watch over something else > than pure system-related stuff? Others can chime in here. -Steve