From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Monitoring files Date: Tue, 24 Apr 2018 20:24:34 -0400 Message-ID: <6077410.AcHasQvfG8@x2> References: <20180424223117.kpzra3iisyckuofh@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Guy Briggs List-Id: linux-audit@redhat.com On Tuesday, April 24, 2018 7:45:15 PM EDT warron.french wrote: > Mr. Briggs/Rafi, > > I don't see the -i switch even mentioned in the manpage for audit.rules. > Is this a documented switch, or not yet a capability on Red Hat or CentOS > systems? All audit commands are documented in the auditctl man page. When rules load, auditctl processes them as if you typed them in one by one via auditctl. Its just that you do not need to type auditctl on each line of the rules. -Stev > -------------------------- > Warron French > > On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs wrote: > > On 2018-04-24 18:03, warron.french wrote: > > > Mr. Briggs/Rafi, > > > > I think you forgot to reply to the list (preferred) and/or Rafi. > > > > > I don't see the -i switch even mentioned in the manpage for > > > audit.rules. > > > Is this a documented switch, or not yet a capability on Red Hat or > > > CentOS > > > systems? > > > > > > Thanks in advance, > > > > > > -------------------------- > > > Warron French > > > > > > > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs > > > > wrote: > > > > On 2018-04-23 23:41, F Rafi wrote: > > > > > Adding a -i to the rules file should ignore any errors. > > > > > > > > At risk of feature creep, it might be nice to have a flag to ignore > > > > certain rules but not others, a way to tag individual rules with > > > > either > > > > a must, or a different tag with "ignore if not present" for file > > > > rules. > > > > > > > > > -Farhan > > > > > > > > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french < > > > > warron.french@gmail.com> > > > > > > wrote: > > > > > > Hi, I have a requirement to monitor a ton of files, executables > > > > > > and > > > > > > > > confug > > > > > > > > > > files. > > > > > > > > > > > > Anyway, not all of my systems have every file in the list; and > > > > when I > > > > > > add > > > > > > > > > > the rules appropriate, either as a Watch (-w) rule or as an > > > > > > Action > > > > (-a) > > > > > > > > rule, the rules stop loading when the find a rule that has a file > > > > that > > > > > > > > doesn't exist *on that particular system*. > > > > > > > > > > > > This is the intended effect, yes? > > > > > > > > > > > > Thanks in advance, > > > > > > -------------------------- > > > > > > Warron French > > > > > > > > - RGB > > > > > > > > -- > > > > Richard Guy Briggs > > > > Sr. S/W Engineer, Kernel Security, Base Operating Systems > > > > Remote, Ottawa, Red Hat Canada > > > > IRC: rgb, SunRaycer > > > > Voice: +1.647.777.2635, Internal: (81) 32635 > > > > - RGB > > > > -- > > Richard Guy Briggs > > Sr. S/W Engineer, Kernel Security, Base Operating Systems > > Remote, Ottawa, Red Hat Canada > > IRC: rgb, SunRaycer > > Voice: +1.647.777.2635, Internal: (81) 32635