From mboxrd@z Thu Jan 1 00:00:00 1970 From: Klaus Weidner Subject: Re: Adding multiple watch rules on same path Date: Tue, 22 Aug 2006 13:30:01 -0500 Message-ID: <20060822183001.GA4233@w-m-p.com> References: <44EB239D.4040709@us.ibm.com> <200608221151.14150.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k7MIUZqG003459 for ; Tue, 22 Aug 2006 14:30:35 -0400 Received: from mail.atsec.com (mail.atsec.com [195.30.252.105]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k7MIUAGE015238 for ; Tue, 22 Aug 2006 14:30:11 -0400 Content-Disposition: inline In-Reply-To: <200608221151.14150.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tue, Aug 22, 2006 at 11:51:14AM -0400, Steve Grubb wrote: > On the otherhand, suppose you wrote a system that dynamically alters the audit > rules. You could use the keyfield to identify those rules so that you do not > have to think about baseline rules the admin may have in place. IOW, you can > issue another rule to watch /etc/shadow for writes without checking to see if > it already exists. Also, you can delete the rule without worry that you are > deleting something the admin wants there as baseline. I think it's useful to keep it, especially if it already works now. A file may need auditing for multiple overlapping reasons, and it's nice to get consistent results in that case. It's a feature beyond what CAPP/LSPP requires and it's only available to admins, so there is no need to specifically test these combinations if you're just going for CC compliance. -Klaus