Re: EXT :Re: Adding enterprise capability - an includeConfig directive for audit.rules?

On Sunday, April 07, 2013 09:16:46 PM Burn Alting wrote: > Please find attached my patch on this matter. Thanks for taking this on. > I essence, /etc/audit/audit.rules is now formed from files (.rules > suffixed) within /etc/audit/rules.d. The new script /sbin/augenrules is > executed by from either startup script, /etc/init.d/auditd > or /usr/lib/systemd/system/auditd.service before calling auditctl. One issue that I am concerned about is how this feature gets added to existing setups. For example, someone may have a /etc/audit/audit.rules file, then upgrade and if there is an empty shipped policy in /etc/audit/audit.d, it will erase the installed rules. So, I think we should have an /etc/sysconfig option that enables augenrules so that an admin has to do something to turn this on thus preventing automatic deletion of rules. For systemd, I think we want to ship the service file with the ExecStartPost line commented out which then requires an admin to take an action to enable. We really don't want unexpected things to happen during an upgrade. > The generated file ensures > - the last processed -D directive without an option, if present, is > emitted on the first line In generating rules, we should always start with -D. I can't imagine not having it. > - the last processed -b directive, if present, is emitted on the second > line We probably want the largest in all the processed files. > - the last processed -f directive, if present, is emitted on the third > line We probably want the largest here, too. > - the last processed -e directive, if present, is emitted as the last > line. I was thinking that if any of the files try to ask for it to be immutable, then it should go at the end. > The file, /etc/audit/audit.rules, is only updated if it has changed. > > https://www.redhat.com/mailman/listinfo/linux-audit That is great, because any write could be an auditable event. At some point we also might want to add support for a --check option which does everything except overwrite the final rules. -Steve