Re: Watching over non-existent folder to maintain a generic audit.rules file
On Tuesday, July 28, 2015 05:26:18 PM Florian Crouzat wrote:
Unfortunately, I do not only watch over system-related files and
folders
but also applicative ones (eg custom path where some private keys are
stored, etc) ..
My problem is that these folders do not exists on all hosts thus making
it impossible to write a generic audit.rules files.
What kernel are you using? And user space package?
As I said, I have thousands of hosts and I can't imagine
deploying
different files on every hosts depending on the profile of the host.
I know puppet could help me for this kind of stuff but I don't have it
yet and even though, it would be difficult to configure.
As of the 2.3 user space release, there is a utility, augenrules which takes
files in /etc/audit/rules.d/ and compiles them into an audit.rules file. So, it
would be possible for you to package up some rules for bind and install them
when you install bind and have your package install a
/etc/audit/rules.d/bind.rules file. You can have a base config, and then one for
each kind of daemon or role that the machine serves.
How do you guys usually workaround this issue ? I'm pretty sure
I'm not
the first one wanting to deploy a generic hardening across many hosts
(but maybe I'm the only one using auditd to watch over something else
than pure system-related stuff?
Others can chime in here.
-Steve