On Wednesday, July 30, 2014 08:21:45 P= M Dan White wrote:
> Does the system all= ow for the import/include of groups of rules in other
&n= bsp; > files - =EF=BB=BFlike logrotate and /etc/logrotate.d/* ?
No, but in 2.3 and later there is a /etc/audit/rules.d/ directory wh= ere rules
can be dropped off. The augenrules utility will "compile" th= ose into a master
audit.rules file. You also have to enable augenrules= by setting
USE_AUGENRULES=3D"yes" in /etc/sysconfig/audit. that is ab= out as close as it
comes.

-Steve

Thanks = for the quick answer.
Any plans to release 2.3.x to RHEL 6 that can be = shared ?

References: <9bbafff9-6c53-475f-acf0-d0bf8ad07931@me.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <9bbafff9-6c53-475f-acf0-d0bf8ad07931@me.com>
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Dan White 
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

> On Jul 30, 2014, at 04:33 PM, Steve Grubb  wrote:
>
>> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:
>>        > Does the system allow for the import/include of groups of rules
>> in other
>>        > files - =EF=BB=BFlike logrotate and /etc/logrotate.d/* ?
>>
>> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where
>> rules
>> can be dropped off. The augenrules utility will "compile" those into a
>> master
>> audit.rules file. You also have to enable augenrules by setting
>> USE_AUGENRULES=3D"yes" in /etc/sysconfig/audit. that is about as close as
>> it
>> comes.
>>
>> -Steve
>
> Thanks for the quick answer.
> Any plans to release 2.3.x to RHEL 6 that can be shared ?

I was able to "backport" this functionality to RHEL6 (and RHEL5) by doing
the following:

- Steal the augenrules script from a Fedora or RHEL7 package
- Use my configuration management system to create and manage files in
/etc/audit/rules.d
- Schedule periodic runs of augenrules

I didn't have to set USE_AUGENRULES (maybe because the older audit system
doesn't know to care?).  It has been working very well for me as a way of
managing differences in audit rules on systems while still keeping things
centralized.

--Ray

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan White 
Subject: Re: RHEL 6 audit.rules question
Date: Thu, 31 Jul 2014 21:46:24 -0400
Message-ID: <4C944041-25A8-49C5-A15D-D014C80B5D9C@icloud.com>
References: <9bbafff9-6c53-475f-acf0-d0bf8ad07931@me.com>
	<144e83098c4a9de1d34cd5504f8ad8cb.squirrel@webmail.umbc.edu>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Return-path: 
Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com
	[10.5.110.21])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s711kjLg022941
	for ; Thu, 31 Jul 2014 21:46:45 -0400
Received: from st11p02mm-asmtp002.mac.com (st11p02mm-asmtp002.mac.com
	[17.172.220.237])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s711khIw023187
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL)
	for ; Thu, 31 Jul 2014 21:46:43 -0400
Received: from [10.0.1.200] (c-76-100-4-11.hsd1.md.comcast.net [76.100.4.11])
	by st11p02mm-asmtp002.mac.com
	(Oracle Communications Messaging Server 7u4-27.10(7.0.4.27.9) 64bit
	(built Jun
	6 2014)) with ESMTPSA id <0N9L00KDZU9C1Y60@st11p02mm-asmtp002.mac.com>
	for linux-audit@redhat.com; Fri, 01 Aug 2014 01:46:27 +0000 (GMT)
In-reply-to: <144e83098c4a9de1d34cd5504f8ad8cb.squirrel@webmail.umbc.edu>
List-Unsubscribe: ,
	
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
	
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Jul 31, 2014, at 9:58 AM, rshaw1@umbc.edu wrote:

>> On Jul 30, 2014, at 04:33 PM, Steve Grubb  wrote:
>> =

>>> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:
>>>> Does the system allow for the import/include of groups of rules
>>> in other
>>>> files - =EF=BB=BFlike logrotate and /etc/logrotate.d/* ?
>>> =

>>> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where
>>> rules
>>> can be dropped off. The augenrules utility will "compile" those into a
>>> master
>>> audit.rules file. You also have to enable augenrules by setting
>>> USE_AUGENRULES=3D"yes" in /etc/sysconfig/audit. that is about as close =
as
>>> it
>>> comes.
>>> =

>>> -Steve
>> =

>> Thanks for the quick answer.
>> Any plans to release 2.3.x to RHEL 6 that can be shared ?
> =

> I was able to "backport" this functionality to RHEL6 (and RHEL5) by doing
> the following:
> =

> - Steal the augenrules script from a Fedora or RHEL7 package
> - Use my configuration management system to create and manage files in
> /etc/audit/rules.d
> - Schedule periodic runs of augenrules
> =

> I didn't have to set USE_AUGENRULES (maybe because the older audit system
> doesn't know to care?).  It has been working very well for me as a way of
> managing differences in audit rules on systems while still keeping things
> centralized.
> =

> --Ray
> =


Great idea.  I may explore that.
Thanks.

=93Sometimes I think the surest sign that intelligent life exists elsewhere=
 in the universe is that none of it has tried to contact us.=94 =

Bill Waterson (Calvin & Hobbes)