Re: EXT :Re: Adding enterprise capability - an includeConfig directive for audit.rules?

On Sunday, April 07, 2013 09:16:46 PM Burn Alting wrote: Thanks for taking this on. One issue that I am concerned about is how this feature gets added to existing setups. For example, someone may have a /etc/audit/audit.rules file, then upgrade and if there is an empty shipped policy in /etc/audit/audit.d, it will erase the installed rules. So, I think we should have an /etc/sysconfig option that enables augenrules so that an admin has to do something to turn this on thus preventing automatic deletion of rules. For systemd, I think we want to ship the service file with the ExecStartPost line commented out which then requires an admin to take an action to enable. We really don't want unexpected things to happen during an upgrade. In generating rules, we should always start with -D. I can't imagine not having it. We probably want the largest in all the processed files. We probably want the largest here, too. I was thinking that if any of the files try to ask for it to be immutable, then it should go at the end. That is great, because any write could be an auditable event. At some point we also might want to add support for a --check option which does everything except overwrite the final rules. -Steve