Re: Monitoring files - Steve Grubb

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: Monitoring files
Date: Tue, 24 Apr 2018 20:24:34 -0400	[thread overview]
Message-ID: <6077410.AcHasQvfG8@x2> (raw)
In-Reply-To: <CAJdJdQn1XfSJjggLn4TCW757N=QULEVnT0YUkGnqKCXbgwQn9w@mail.gmail.com>

On Tuesday, April 24, 2018 7:45:15 PM EDT warron.french wrote:
>  Mr. Briggs/Rafi,
> 
> I don't see the -i switch even mentioned in the manpage for audit.rules.
> Is this a documented switch, or not yet a capability on Red Hat or CentOS
> systems?

All audit commands are documented in the auditctl man page. When rules load, 
auditctl processes them as if you typed them in one by one via auditctl. Its 
just that you do not need to type auditctl on each line of the rules.

-Stev

> --------------------------
> Warron French
> 
> On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2018-04-24 18:03, warron.french wrote:
> > > Mr. Briggs/Rafi,
> > 
> > I think you forgot to reply to the list (preferred) and/or Rafi.
> > 
> > > I don't see the -i switch even mentioned in the manpage for
> > > audit.rules.
> > > Is this a documented switch, or not yet a capability on Red Hat or
> > > CentOS
> > > systems?
> > > 
> > > Thanks in advance,
> > > 
> > > --------------------------
> > > Warron French
> > > 
> > > 
> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > 
> > wrote:
> > > > On 2018-04-23 23:41, F Rafi wrote:
> > > > > Adding a -i to the rules file should ignore any errors.
> > > > 
> > > > At risk of feature creep, it might be nice to have a flag to ignore
> > > > certain rules but not others, a way to tag individual rules with
> > > > either
> > > > a must, or a different tag with "ignore if not present" for file
> > > > rules.
> > > > 
> > > > > -Farhan
> > > > > 
> > > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> > 
> > warron.french@gmail.com>
> > 
> > > > wrote:
> > > > > > Hi, I have a requirement to monitor a ton of files, executables
> > > > > > and
> > > > 
> > > > confug
> > > > 
> > > > > > files.
> > > > > > 
> > > > > > Anyway, not all of my systems have every file in the list; and
> > 
> > when I
> > 
> > > > add
> > > > 
> > > > > > the rules appropriate, either as a Watch (-w) rule or as an
> > > > > > Action
> > 
> > (-a)
> > 
> > > > > > rule, the rules stop loading when the find a rule that has a file
> > 
> > that
> > 
> > > > > > doesn't exist *on that particular system*.
> > > > > > 
> > > > > > This is the intended effect, yes?
> > > > > > 
> > > > > > Thanks in advance,
> > > > > > --------------------------
> > > > > > Warron French
> > > > 
> > > > - RGB
> > > > 
> > > > --
> > > > Richard Guy Briggs <rgb@redhat.com>
> > > > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > > Remote, Ottawa, Red Hat Canada
> > > > IRC: rgb, SunRaycer
> > > > Voice: +1.647.777.2635, Internal: (81) 32635
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635

next prev parent reply	other threads:[~2018-04-25  0:24 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-24  1:19 Monitoring files warron.french
2018-04-24  3:41 ` F Rafi
2018-04-24 15:14   ` Richard Guy Briggs
     [not found]     ` <CAJdJdQmgw1hPeCas8D_uK9uxWoqUekgx2aiu0RBPwAqYtiYScw@mail.gmail.com>
     [not found]       ` <20180424223117.kpzra3iisyckuofh@madcap2.tricolour.ca>
2018-04-24 23:45         ` warron.french
2018-04-25  0:24           ` Steve Grubb [this message]
     [not found]       ` <CAJdJdQ=jZ3fvYi_mbPxGQ2Lo3G-GnVBuecEuHhz-i1JzAp=-5w@mail.gmail.com>
2018-04-25  0:43         ` Richard Guy Briggs
2018-04-25  1:12           ` warron.french
2018-04-25  1:40             ` Steve Grubb
2018-04-25 14:06           ` F Rafi
2018-04-25 17:01             ` warron.french
2018-04-25 21:46               ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6077410.AcHasQvfG8@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox