From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Monitoring files Date: Tue, 24 Apr 2018 21:40:37 -0400 Message-ID: <4017531.u0FdrI09fj@x2> References: <20180425004337.34h7wz5aezpcvlh2@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Guy Briggs List-Id: linux-audit@redhat.com On Tuesday, April 24, 2018 9:12:49 PM EDT warron.french wrote: > Steve, I did a search on the manpage for auditctl and there was no > references to any -i switch; > of course it could be because the version we are on might be too old in > comparison. This is what the auditctl man page says from audit-1.0.16: -i Ignore errors when reading rules from a file I hope you are not using anything less than that. -Steve > On Tue, Apr 24, 2018 at 8:43 PM, Richard Guy Briggs wrote: > > On 2018-04-24 18:04, warron.french wrote: > > > Furthermore, where would I add the -i switch to a rule like this one: > > > > > > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F > > > auid!=4294967295 -k privileged > > > > I'm not aware of any per-rule switches to permit failure to load to be > > non-fatal. I was suggesting it might help in your situation to add such > > a feature, but I think the better solution is a customized rule set for > > each machine or type of machine. > > > > > ?? > > > > > > -------------------------- > > > Warron French > > > > > > > > > On Tue, Apr 24, 2018 at 6:03 PM, warron.french > > > > > > > > > wrote: > > > > Mr. Briggs/Rafi, > > > > > > > > I don't see the -i switch even mentioned in the manpage for > > > > audit.rules. > > > > > > Is this a documented switch, or not yet a capability on Red Hat or > > > > CentOS > > > > > > systems? > > > > > > > > Thanks in advance, > > > > > > > > -------------------------- > > > > Warron French > > > > > > > > > > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs > > > > > > > > wrote: > > > >> On 2018-04-23 23:41, F Rafi wrote: > > > >> > Adding a -i to the rules file should ignore any errors. > > > >> > > > >> At risk of feature creep, it might be nice to have a flag to ignore > > > >> certain rules but not others, a way to tag individual rules with > > > > either > > > > > >> a must, or a different tag with "ignore if not present" for file > > > > rules. > > > > > >> > -Farhan > > > >> > > > > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french < > > > > warron.french@gmail.com> > > > > > >> wrote: > > > >> > > Hi, I have a requirement to monitor a ton of files, executables > > > > and > > > > > >> confug > > > >> > > > >> > > files. > > > >> > > > > > >> > > Anyway, not all of my systems have every file in the list; and > > > > when I > > > > > >> add > > > >> > > > >> > > the rules appropriate, either as a Watch (-w) rule or as an > > > >> > > Action > > > >> > > > >> (-a) > > > >> > > > >> > > rule, the rules stop loading when the find a rule that has a > > > >> > > file > > > > that > > > > > >> > > doesn't exist *on that particular system*. > > > >> > > > > > >> > > This is the intended effect, yes? > > > >> > > > > > >> > > Thanks in advance, > > > >> > > -------------------------- > > > >> > > Warron French > > > >> > > > >> - RGB > > > >> > > > >> -- > > > >> Richard Guy Briggs > > > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems > > > >> Remote, Ottawa, Red Hat Canada > > > >> IRC: rgb, SunRaycer > > > >> Voice: +1.647.777.2635, Internal: (81) 32635 > > > > - RGB > > > > -- > > Richard Guy Briggs > > Sr. S/W Engineer, Kernel Security, Base Operating Systems > > Remote, Ottawa, Red Hat Canada > > IRC: rgb, SunRaycer > > Voice: +1.647.777.2635, Internal: (81) 32635