From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Crouzat <tech@floriancrouzat.net>
Subject: Watching over non-existent folder to maintain a generic audit.rules
	file
Date: Tue, 28 Jul 2015 17:26:18 +0200
Message-ID: <55B79F1A.1040207@floriancrouzat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.30])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id t6SFQSlH025927
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Tue, 28 Jul 2015 11:26:28 -0400
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net
	[217.70.183.194])
	by mx1.redhat.com (Postfix) with ESMTPS id 1A86619F253
	for <linux-audit@redhat.com>; Tue, 28 Jul 2015 15:26:23 +0000 (UTC)
Received: from mfilter14-d.gandi.net (mfilter14-d.gandi.net [217.70.178.142])
	by relay2-d.mail.gandi.net (Postfix) with ESMTP id 1AD5CC5A43
	for <linux-audit@redhat.com>; Tue, 28 Jul 2015 17:26:21 +0200 (CEST)
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194])
	by mfilter14-d.gandi.net (mfilter14-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id cvifd910zLmQ for <linux-audit@redhat.com>;
	Tue, 28 Jul 2015 17:26:19 +0200 (CEST)
Received: from marvin.lbg.office.lyra (unknown [37.1.253.83])
	(Authenticated sender: tech@floriancrouzat.net)
	by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id BC4E3C5A3C
	for <linux-audit@redhat.com>; Tue, 28 Jul 2015 17:26:18 +0200 (CEST)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

I'm a bit new with auditd so excuse me if this question has been already
answered but I failed to find answers.

I'm in the process of replacing a FIM tool by auditd which is by far
more powerful but I wanted to describe all possibles files and folders
(or system calls) that I need to watch over in a generic audit.rules
files that I would deploy on thousands of hosts.
Unfortunately, I do not only watch over system-related files and folders
but also applicative ones (eg custom path where some private keys are
stored, etc) ..
My problem is that these folders do not exists on all hosts thus making
it impossible to write a generic audit.rules files.
As I said, I have thousands of hosts and I can't imagine deploying
different files on every hosts depending on the profile of the host.
I know puppet could help me for this kind of stuff but I don't have it
yet and even though, it would be difficult to configure.

How do you guys usually workaround this issue ? I'm pretty sure I'm not
the first one wanting to deploy a generic hardening across many hosts
(but maybe I'm the only one using auditd to watch over something else
than pure system-related stuff?

Thanks,
Florian