From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan White Subject: Re: RHEL 6 audit.rules question Date: Thu, 31 Jul 2014 11:59:02 +0000 (GMT) Message-ID: <9bbafff9-6c53-475f-acf0-d0bf8ad07931@me.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5755218370686594128==" Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s6VBxG51007300 for ; Thu, 31 Jul 2014 07:59:16 -0400 Received: from st11p02mm-asmtp001.mac.com (st11p02mm-asmtp001.mac.com [17.172.220.236]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s6VBxFkB032417 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL) for ; Thu, 31 Jul 2014 07:59:15 -0400 Received: from st11p02mm-spool001.mac.com ([17.172.220.246]) by st11p02mm-asmtp001.mac.com (Oracle Communications Messaging Server 7u4-27.10(7.0.4.27.9) 64bit (built Jun 6 2014)) with ESMTP id <0N9K009T7RYH9K40@st11p02mm-asmtp001.mac.com> for linux-audit@redhat.com; Thu, 31 Jul 2014 11:59:06 +0000 (GMT) Received: from localhost ([17.172.220.163]) by st11p02mm-spool001.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with ESMTP id <0N9K00LSRRYHB150@st11p02mm-spool001.mac.com> for linux-audit@redhat.com; Thu, 31 Jul 2014 11:59:05 +0000 (GMT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============5755218370686594128== Content-type: multipart/alternative; boundary="Boundary_(ID_ZQ9oB17PjHuKrNa+j45v4w)" --Boundary_(ID_ZQ9oB17PjHuKrNa+j45v4w) Content-type: text/plain; charset=utf-8; format=flowed Content-transfer-encoding: quoted-printable On Jul 30, 2014, at 04:33 PM, Steve Grubb wrote:=0A=0A= > On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote:=0A> > Do= es the system allow for the import/include of groups of rules in other=0A>= > files - =EF=BB=BFlike logrotate and /etc/logrotate.d/* ?=0A>=0A>= No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where r= ules=0A> can be dropped off. The augenrules utility will "compile" those i= nto a master=0A> audit.rules file. You also have to enable augenrules by s= etting=0A> USE_AUGENRULES=3D"yes" in /etc/sysconfig/audit. that is about a= s close as it=0A> comes.=0A>=0A> -Steve=0A =0AThanks for the quick answer.= =0AAny plans to release 2.3.x to RHEL 6 that can be shared ?=0A=0A=E2=80=9C= Sometimes I think the surest sign that intelligent life exists elsewhere i= n the universe is that none of it has tried to contact us.=E2=80=9D (Bill= Waterson: Calvin & Hobbes)=EF=BB=BF= --Boundary_(ID_ZQ9oB17PjHuKrNa+j45v4w) Content-type: multipart/related; boundary="Boundary_(ID_6fqYqIo6XBsiU/s+0g1w4Q)"; type="text/html" --Boundary_(ID_6fqYqIo6XBsiU/s+0g1w4Q) Content-type: text/html; charset=utf-8 Content-transfer-encoding: quoted-printable
On Jul 30, 2014, at 04:33 PM, Steve Grubb <sgrubb@redhat.com> w= rote:

On Wednesday, July 30, 2014 08:21:45 P= M Dan White wrote:
       > Does the system all= ow for the import/include of groups of rules in other
    &n= bsp;  > files - =EF=BB=BFlike logrotate and /etc/logrotate.d/* ?
No, but in 2.3 and later there is a /etc/audit/rules.d/ directory wh= ere rules
can be dropped off. The augenrules utility will "compile" th= ose into a master
audit.rules file. You also have to enable augenrules= by setting
USE_AUGENRULES=3D"yes" in /etc/sysconfig/audit. that is ab= out as close as it
comes.

-Steve
 
Thanks = for the quick answer.
Any plans to release 2.3.x to RHEL 6 that can be = shared ?