Re: Monitoring files
On Tuesday, April 24, 2018 7:45:15 PM EDT warron.french wrote:
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?
All audit commands are documented in the auditctl man page. When rules load,
auditctl processes them as if you typed them in one by one via auditctl. Its
just that you do not need to type auditctl on each line of the rules.
-Stev
--------------------------
Warron French
On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
> On 2018-04-24 18:03, warron.french wrote:
> > Mr. Briggs/Rafi,
>
> I think you forgot to reply to the list (preferred) and/or Rafi.
>
> > I don't see the -i switch even mentioned in the manpage for
> > audit.rules.
> > Is this a documented switch, or not yet a capability on Red Hat or
> > CentOS
> > systems?
> >
> > Thanks in advance,
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb(a)redhat.com>
>
> wrote:
> > > On 2018-04-23 23:41, F Rafi wrote:
> > > > Adding a -i to the rules file should ignore any errors.
> > >
> > > At risk of feature creep, it might be nice to have a flag to ignore
> > > certain rules but not others, a way to tag individual rules with
> > > either
> > > a must, or a different tag with "ignore if not present" for
file
> > > rules.
> > >
> > > > -Farhan
> > > >
> > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
>
> warron.french(a)gmail.com>
>
> > > wrote:
> > > > > Hi, I have a requirement to monitor a ton of files, executables
> > > > > and
> > >
> > > confug
> > >
> > > > > files.
> > > > >
> > > > > Anyway, not all of my systems have every file in the list; and
>
> when I
>
> > > add
> > >
> > > > > the rules appropriate, either as a Watch (-w) rule or as an
> > > > > Action
>
> (-a)
>
> > > > > rule, the rules stop loading when the find a rule that has a
file
>
> that
>
> > > > > doesn't exist *on that particular system*.
> > > > >
> > > > > This is the intended effect, yes?
> > > > >
> > > > > Thanks in advance,
> > > > > --------------------------
> > > > > Warron French
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rgb(a)redhat.com>
> > > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > Remote, Ottawa, Red Hat Canada
> > > IRC: rgb, SunRaycer
> > > Voice: +1.647.777.2635, Internal: (81) 32635
>
> - RGB
>
> --
> Richard Guy Briggs <rgb(a)redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635