Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules?
@ 2016-02-02 17:05 leam hall
  2016-02-02 19:03 ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: leam hall @ 2016-02-02 17:05 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 348 bytes --]

Running into errors where we're pushing out a blanket audit.rules file and
some servers don't have some of the files. I've seen the -i and -c
suggestion for auditctl but wanted to confirm that that's the right choice.
We need to ensure warnings don't choke auditd or make it skip other rules.

-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 498 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules?
  2016-02-02 17:05 Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules? leam hall
@ 2016-02-02 19:03 ` Steve Grubb
  2016-02-02 19:12   ` leam hall
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2016-02-02 19:03 UTC (permalink / raw)
  To: leam hall; +Cc: linux-audit

On Tue, 2 Feb 2016 12:05:38 -0500
leam hall <leamhall@gmail.com> wrote:

> Running into errors where we're pushing out a blanket audit.rules
> file and some servers don't have some of the files. I've seen the -i
> and -c suggestion for auditctl but wanted to confirm that that's the
> right choice. We need to ensure warnings don't choke auditd or make
> it skip other rules.

-c will make it continue but ultimately report failure.
-i will make it continue and pretend nothing is wrong.

Either could be correct depending on whether you want success or
failure final status.

-Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules?
  2016-02-02 19:03 ` Steve Grubb
@ 2016-02-02 19:12   ` leam hall
  0 siblings, 0 replies; 3+ messages in thread
From: leam hall @ 2016-02-02 19:12 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 909 bytes --]

Thanks Steve! In this case I think we want it to pretend nothing is wrong.
Sadly, that means other errors might get passed over so we have to watch
for those.

Leam

On Tue, Feb 2, 2016 at 2:03 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Tue, 2 Feb 2016 12:05:38 -0500
> leam hall <leamhall@gmail.com> wrote:
>
> > Running into errors where we're pushing out a blanket audit.rules
> > file and some servers don't have some of the files. I've seen the -i
> > and -c suggestion for auditctl but wanted to confirm that that's the
> > right choice. We need to ensure warnings don't choke auditd or make
> > it skip other rules.
>
> -c will make it continue but ultimately report failure.
> -i will make it continue and pretend nothing is wrong.
>
> Either could be correct depending on whether you want success or
> failure final status.
>
> -Steve
>



-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 1527 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-02-02 19:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-02 17:05 Current Red Hat Kernels 2.6.18 & 2.6.32 not able to have non-existent files in audit.rules? leam hall
2016-02-02 19:03 ` Steve Grubb
2016-02-02 19:12   ` leam hall

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox