Re: Monitoring files

From: Steve Grubb <sgrubb@redhat.com>
To: "warron.french" <warron.french@gmail.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
	Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: Monitoring files
Date: Wed, 25 Apr 2018 17:46:24 -0400	[thread overview]
Message-ID: <20180425174624.5b7ba10d@ivy-bridge> (raw)
In-Reply-To: <CAJdJdQnyaWpMzJciBiko+eupQT1_XYxat=iN2K6VEHPs-K=P5Q@mail.gmail.com>

On Wed, 25 Apr 2018 13:01:11 -0400
"warron.french" <warron.french@gmail.com> wrote:

> Thanks *F Rafi.*
> 
> *Steve*, does the "-i" flag go on a line simply by itself?

Yes. Just like the -D at the top of the rules.

> And so the benefit of this switch is that for rules applied through
> the audit.rules file; that are monitoring files - wherein the files
> are not on the system will do which:
> 1.  Not load the rule, skip to the next rule and load it if possible?

Yes

> 2. Load the rule, but will simply not indicate an error at all?
> 
> Therefore all rules that can be loaded will be loaded (if the files
> are in place) and those that don't actually have their files to
> monitor will simply not be added to the chain of rules?

Yes. Note that there is also a '-c' rule that will continue loading and
then give you a summary yes/no. Yes all rules loaded, No one or more
rules did not load. The '-i' will always report success.

-Steve

> --------------------------
> Warron French
> 
> 
> On Wed, Apr 25, 2018 at 10:06 AM, F Rafi <farhanible@gmail.com> wrote:
> 
> > Warron,
> >  
> > > Furthermore, where would I add the -i switch to a rule like this
> > > one:  
> >
> > You basically put a "-i" on a separate line by itself afaik
> > somewhere at the top of the audit rules file. All the rules below
> > the -i line will not cause a load failure (Steve and RGB can
> > confirm).
> >
> > Farhan
> >
> > On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb@redhat.com>
> > wrote: 
> >> On 2018-04-24 18:04, warron.french wrote:  
> >> > Furthermore, where would I add the -i switch to a rule like this
> >> > one:
> >> >
> >> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F
> >> > auid>=1000 -F auid!=4294967295 -k privileged  
> >>
> >> I'm not aware of any per-rule switches to permit failure to load
> >> to be non-fatal.  I was suggesting it might help in your situation
> >> to add such a feature, but I think the better solution is a
> >> customized rule set for each machine or type of machine.
> >>  
> >> > ??
> >> >
> >> > --------------------------
> >> > Warron French
> >> >
> >> >
> >> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french
> >> > <warron.french@gmail.com
> >> >
> >> > wrote:
> >> >  
> >> > > Mr. Briggs/Rafi,
> >> > >
> >> > > I don't see the -i switch even mentioned in the manpage for  
> >> audit.rules.  
> >> > > Is this a documented switch, or not yet a capability on Red
> >> > > Hat or  
> >> CentOS  
> >> > > systems?
> >> > >
> >> > > Thanks in advance,
> >> > >
> >> > > --------------------------
> >> > > Warron French
> >> > >
> >> > >
> >> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs
> >> > > <rgb@redhat.com> wrote:
> >> > >  
> >> > >> On 2018-04-23 23:41, F Rafi wrote:  
> >> > >> > Adding a -i to the rules file should ignore any errors.  
> >> > >>
> >> > >> At risk of feature creep, it might be nice to have a flag to
> >> > >> ignore certain rules but not others, a way to tag individual
> >> > >> rules with  
> >> either  
> >> > >> a must, or a different tag with "ignore if not present" for
> >> > >> file  
> >> rules.  
> >> > >>  
> >> > >> > -Farhan
> >> > >> >
> >> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <  
> >> warron.french@gmail.com>  
> >> > >> wrote:  
> >> > >> > > Hi, I have a requirement to monitor a ton of files,
> >> > >> > > executables  
> >> and  
> >> > >> confug  
> >> > >> > > files.
> >> > >> > >
> >> > >> > > Anyway, not all of my systems have every file in the
> >> > >> > > list; and  
> >> when I  
> >> > >> add  
> >> > >> > > the rules appropriate, either as a Watch (-w) rule or as
> >> > >> > > an  
> >> Action  
> >> > >> (-a)  
> >> > >> > > rule, the rules stop loading when the find a rule that
> >> > >> > > has a  
> >> file that  
> >> > >> > > doesn't exist *on that particular system*.
> >> > >> > >
> >> > >> > > This is the intended effect, yes?
> >> > >> > >
> >> > >> > > Thanks in advance,
> >> > >> > > --------------------------
> >> > >> > > Warron French  
> >> > >>
> >> > >> - RGB
> >> > >>
> >> > >> --
> >> > >> Richard Guy Briggs <rgb@redhat.com>
> >> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> > >> Remote, Ottawa, Red Hat Canada
> >> > >> IRC: rgb, SunRaycer
> >> > >> Voice: +1.647.777.2635, Internal: (81) 32635
> >> > >>  
> >> > >
> >> > >  
> >>
> >> - RGB
> >>
> >> --
> >> Richard Guy Briggs <rgb@redhat.com>
> >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> Remote, Ottawa, Red Hat Canada
> >> IRC: rgb, SunRaycer
> >> Voice: +1.647.777.2635, Internal: (81) 32635
> >>
> >> --
> >> Linux-audit mailing list
> >> Linux-audit@redhat.com
> >> https://www.redhat.com/mailman/listinfo/linux-audit
> >>  
> >  