From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: Monitoring files
Date: Tue, 24 Apr 2018 21:40:37 -0400 [thread overview]
Message-ID: <4017531.u0FdrI09fj@x2> (raw)
In-Reply-To: <CAJdJdQmgE3rYD31Ova2MVYtyH7EWTvvV0juZrSBkBTaLshd5DQ@mail.gmail.com>
On Tuesday, April 24, 2018 9:12:49 PM EDT warron.french wrote:
> Steve, I did a search on the manpage for auditctl and there was no
> references to any -i switch;
> of course it could be because the version we are on might be too old in
> comparison.
This is what the auditctl man page says from audit-1.0.16:
-i Ignore errors when reading rules from a file
I hope you are not using anything less than that.
-Steve
> On Tue, Apr 24, 2018 at 8:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2018-04-24 18:04, warron.french wrote:
> > > Furthermore, where would I add the -i switch to a rule like this one:
> > >
> > > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> > > auid!=4294967295 -k privileged
> >
> > I'm not aware of any per-rule switches to permit failure to load to be
> > non-fatal. I was suggesting it might help in your situation to add such
> > a feature, but I think the better solution is a customized rule set for
> > each machine or type of machine.
> >
> > > ??
> > >
> > > --------------------------
> > > Warron French
> > >
> > >
> > > On Tue, Apr 24, 2018 at 6:03 PM, warron.french
> > > <warron.french@gmail.com>
> > >
> > > wrote:
> > > > Mr. Briggs/Rafi,
> > > >
> > > > I don't see the -i switch even mentioned in the manpage for
> >
> > audit.rules.
> >
> > > > Is this a documented switch, or not yet a capability on Red Hat or
> >
> > CentOS
> >
> > > > systems?
> > > >
> > > > Thanks in advance,
> > > >
> > > > --------------------------
> > > > Warron French
> > > >
> > > >
> > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > > >
> > > > wrote:
> > > >> On 2018-04-23 23:41, F Rafi wrote:
> > > >> > Adding a -i to the rules file should ignore any errors.
> > > >>
> > > >> At risk of feature creep, it might be nice to have a flag to ignore
> > > >> certain rules but not others, a way to tag individual rules with
> >
> > either
> >
> > > >> a must, or a different tag with "ignore if not present" for file
> >
> > rules.
> >
> > > >> > -Farhan
> > > >> >
> > > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> >
> > warron.french@gmail.com>
> >
> > > >> wrote:
> > > >> > > Hi, I have a requirement to monitor a ton of files, executables
> >
> > and
> >
> > > >> confug
> > > >>
> > > >> > > files.
> > > >> > >
> > > >> > > Anyway, not all of my systems have every file in the list; and
> >
> > when I
> >
> > > >> add
> > > >>
> > > >> > > the rules appropriate, either as a Watch (-w) rule or as an
> > > >> > > Action
> > > >>
> > > >> (-a)
> > > >>
> > > >> > > rule, the rules stop loading when the find a rule that has a
> > > >> > > file
> >
> > that
> >
> > > >> > > doesn't exist *on that particular system*.
> > > >> > >
> > > >> > > This is the intended effect, yes?
> > > >> > >
> > > >> > > Thanks in advance,
> > > >> > > --------------------------
> > > >> > > Warron French
> > > >>
> > > >> - RGB
> > > >>
> > > >> --
> > > >> Richard Guy Briggs <rgb@redhat.com>
> > > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > >> Remote, Ottawa, Red Hat Canada
> > > >> IRC: rgb, SunRaycer
> > > >> Voice: +1.647.777.2635, Internal: (81) 32635
> >
> > - RGB
> >
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2018-04-25 1:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-24 1:19 Monitoring files warron.french
2018-04-24 3:41 ` F Rafi
2018-04-24 15:14 ` Richard Guy Briggs
[not found] ` <CAJdJdQmgw1hPeCas8D_uK9uxWoqUekgx2aiu0RBPwAqYtiYScw@mail.gmail.com>
[not found] ` <20180424223117.kpzra3iisyckuofh@madcap2.tricolour.ca>
2018-04-24 23:45 ` warron.french
2018-04-25 0:24 ` Steve Grubb
[not found] ` <CAJdJdQ=jZ3fvYi_mbPxGQ2Lo3G-GnVBuecEuHhz-i1JzAp=-5w@mail.gmail.com>
2018-04-25 0:43 ` Richard Guy Briggs
2018-04-25 1:12 ` warron.french
2018-04-25 1:40 ` Steve Grubb [this message]
2018-04-25 14:06 ` F Rafi
2018-04-25 17:01 ` warron.french
2018-04-25 21:46 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4017531.u0FdrI09fj@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox