* Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules?
@ 2016-02-02 17:05 leam hall
2016-02-02 19:03 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: leam hall @ 2016-02-02 17:05 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 348 bytes --]
Running into errors where we're pushing out a blanket audit.rules file and
some servers don't have some of the files. I've seen the -i and -c
suggestion for auditctl but wanted to confirm that that's the right choice.
We need to ensure warnings don't choke auditd or make it skip other rules.
--
Mind on a Mission <http://leamhall.blogspot.com/>
[-- Attachment #1.2: Type: text/html, Size: 498 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules?
2016-02-02 17:05 Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules? leam hall
@ 2016-02-02 19:03 ` Steve Grubb
2016-02-02 19:12 ` leam hall
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2016-02-02 19:03 UTC (permalink / raw)
To: leam hall; +Cc: linux-audit
On Tue, 2 Feb 2016 12:05:38 -0500
leam hall <leamhall@gmail.com> wrote:
> Running into errors where we're pushing out a blanket audit.rules
> file and some servers don't have some of the files. I've seen the -i
> and -c suggestion for auditctl but wanted to confirm that that's the
> right choice. We need to ensure warnings don't choke auditd or make
> it skip other rules.
-c will make it continue but ultimately report failure.
-i will make it continue and pretend nothing is wrong.
Either could be correct depending on whether you want success or
failure final status.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules?
2016-02-02 19:03 ` Steve Grubb
@ 2016-02-02 19:12 ` leam hall
0 siblings, 0 replies; 3+ messages in thread
From: leam hall @ 2016-02-02 19:12 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 909 bytes --]
Thanks Steve! In this case I think we want it to pretend nothing is wrong.
Sadly, that means other errors might get passed over so we have to watch
for those.
Leam
On Tue, Feb 2, 2016 at 2:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tue, 2 Feb 2016 12:05:38 -0500
> leam hall <leamhall@gmail.com> wrote:
>
> > Running into errors where we're pushing out a blanket audit.rules
> > file and some servers don't have some of the files. I've seen the -i
> > and -c suggestion for auditctl but wanted to confirm that that's the
> > right choice. We need to ensure warnings don't choke auditd or make
> > it skip other rules.
>
> -c will make it continue but ultimately report failure.
> -i will make it continue and pretend nothing is wrong.
>
> Either could be correct depending on whether you want success or
> failure final status.
>
> -Steve
>
--
Mind on a Mission <http://leamhall.blogspot.com/>
[-- Attachment #1.2: Type: text/html, Size: 1527 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-02-02 19:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-02 17:05 Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules? leam hall
2016-02-02 19:03 ` Steve Grubb
2016-02-02 19:12 ` leam hall
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox