RHEL 6 audit.rules question

RHEL 6 audit.rules question

[Dan White]

[-- Attachment #1.1: Type: text/plain, Size: 300 bytes --]

Does the system allow for the import/include of groups of rules in other files -
like logrotate and /etc/logrotate.d/* ?

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & Hobbes)

[-- Attachment #1.2.1: Type: text/html, Size: 621 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: RHEL 6 audit.rules question

[Steve Grubb]

On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:
> Does the system allow for the import/include of groups of rules in other
> files - like logrotate and /etc/logrotate.d/* ?

No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where rules 
can be dropped off. The augenrules utility will "compile" those into a master 
audit.rules file. You also have to enable augenrules by setting 
USE_AUGENRULES="yes" in /etc/sysconfig/audit. that is about as close as it 
comes.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: RHEL 6 audit.rules question

[Dan White]

[-- Attachment #1.1: Type: text/plain, Size: 882 bytes --]

On Jul 30, 2014, at 04:33 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:
>        > Does the system allow for the import/include of groups of rules in other
>        > files - like logrotate and /etc/logrotate.d/* ?
>
> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where rules
> can be dropped off. The augenrules utility will "compile" those into a master
> audit.rules file. You also have to enable augenrules by setting
> USE_AUGENRULES="yes" in /etc/sysconfig/audit. that is about as close as it
> comes.
>
> -Steve
 
Thanks for the quick answer.
Any plans to release 2.3.x to RHEL 6 that can be shared ?

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”  (Bill Waterson: Calvin & Hobbes)

[-- Attachment #1.2.1: Type: text/html, Size: 1536 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: RHEL 6 audit.rules question

[rshaw1]

> On Jul 30, 2014, at 04:33 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:
>>        > Does the system allow for the import/include of groups of rules
>> in other
>>        > files - like logrotate and /etc/logrotate.d/* ?
>>
>> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where
>> rules
>> can be dropped off. The augenrules utility will "compile" those into a
>> master
>> audit.rules file. You also have to enable augenrules by setting
>> USE_AUGENRULES="yes" in /etc/sysconfig/audit. that is about as close as
>> it
>> comes.
>>
>> -Steve
>
> Thanks for the quick answer.
> Any plans to release 2.3.x to RHEL 6 that can be shared ?

I was able to "backport" this functionality to RHEL6 (and RHEL5) by doing
the following:

- Steal the augenrules script from a Fedora or RHEL7 package
- Use my configuration management system to create and manage files in
/etc/audit/rules.d
- Schedule periodic runs of augenrules

I didn't have to set USE_AUGENRULES (maybe because the older audit system
doesn't know to care?).  It has been working very well for me as a way of
managing differences in audit rules on systems while still keeping things
centralized.

--Ray

Re: RHEL 6 audit.rules question

[Dan White]

On Jul 31, 2014, at 9:58 AM, rshaw1@umbc.edu wrote:

>> On Jul 30, 2014, at 04:33 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> 
>>> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:
>>>> Does the system allow for the import/include of groups of rules
>>> in other
>>>> files - like logrotate and /etc/logrotate.d/* ?
>>> 
>>> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where
>>> rules
>>> can be dropped off. The augenrules utility will "compile" those into a
>>> master
>>> audit.rules file. You also have to enable augenrules by setting
>>> USE_AUGENRULES="yes" in /etc/sysconfig/audit. that is about as close as
>>> it
>>> comes.
>>> 
>>> -Steve
>> 
>> Thanks for the quick answer.
>> Any plans to release 2.3.x to RHEL 6 that can be shared ?
> 
> I was able to "backport" this functionality to RHEL6 (and RHEL5) by doing
> the following:
> 
> - Steal the augenrules script from a Fedora or RHEL7 package
> - Use my configuration management system to create and manage files in
> /etc/audit/rules.d
> - Schedule periodic runs of augenrules
> 
> I didn't have to set USE_AUGENRULES (maybe because the older audit system
> doesn't know to care?).  It has been working very well for me as a way of
> managing differences in audit rules on systems while still keeping things
> centralized.
> 
> --Ray
> 

Great idea.  I may explore that.
Thanks.

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” 
Bill Waterson (Calvin & Hobbes)