From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditd on nonexistent files
Date: Fri, 18 Sep 2015 01:22:06 +0100
Message-ID: <20150918012206.65b9fb5d@ivy-bridge>
References: <55F6EF4D.7050203@sensa.is> <20150915101503.0dd9e4d4@ivy-bridge>
	<20150915100734.GY8140@madcap2.tricolour.ca>
	<55F920CA.8020703@floriancrouzat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <55F920CA.8020703@floriancrouzat.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Florian Crouzat <tech@floriancrouzat.net>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, 16 Sep 2015 09:56:58 +0200
Florian Crouzat <tech@floriancrouzat.net> wrote:
> I asked the same question in the "Watching over non-existent folder to
> maintain a generic audit.rules file" thread but got different hints.
> I've been directed to augenrules which could help but this doesn't
> really match or facilitate my needs to replace my current FIM tool by
> auditd which requires me to write a generic configuration with all
> possibles folders (including applicative ones) and deploy accross all
> hosts without knowing which host runs which app and/or contains which
> folders.

That is not the intended way to use augenrules. The intention is to have
a base set of rules that apply to everything. Then drop in rules that
apply to that type of system. IOW, you would not put apache rules
on your DNS system because that doesn't make sense.

-Steve