Thanks F Rafi.

Steve, does the "-i" flag go on a line simply by itself?

And so the benefit of this switch is that for rules applied through the audit.rules file; that are monitoring files - wherein the files are not on the system will do which:
1.  Not load the rule, skip to the next rule and load it if possible?
2. Load the rule, but will simply not indicate an error at all?

Therefore all rules that can be loaded will be loaded (if the files are in place) and those that don't actually have their files to monitor will simply not be added to the chain of rules?


Thanks for the explanation,



--------------------------
Warron French


On Wed, Apr 25, 2018 at 10:06 AM, F Rafi <farhanible@gmail.com> wrote:
Warron,

> Furthermore, where would I add the -i switch to a rule like this one:

You basically put a "-i" on a separate line by itself afaik somewhere at the top of the audit rules file. All the rules below the -i line will not cause a load failure (Steve and RGB can confirm). 

Farhan

On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb@redhat.com> wrote:
On 2018-04-24 18:04, warron.french wrote:
> Furthermore, where would I add the -i switch to a rule like this one:
>
> -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> auid!=4294967295 -k privileged

I'm not aware of any per-rule switches to permit failure to load to be
non-fatal.  I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.

> ??
>
> --------------------------
> Warron French
>
>
> On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french@gmail.com>
> wrote:
>
> > Mr. Briggs/Rafi,
> >
> > I don't see the -i switch even mentioned in the manpage for audit.rules.
> > Is this a documented switch, or not yet a capability on Red Hat or CentOS
> > systems?
> >
> > Thanks in advance,
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > wrote:
> >
> >> On 2018-04-23 23:41, F Rafi wrote:
> >> > Adding a -i to the rules file should ignore any errors.
> >>
> >> At risk of feature creep, it might be nice to have a flag to ignore
> >> certain rules but not others, a way to tag individual rules with either
> >> a must, or a different tag with "ignore if not present" for file rules.
> >>
> >> > -Farhan
> >> >
> >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french@gmail.com>
> >> wrote:
> >> > > Hi, I have a requirement to monitor a ton of files, executables and
> >> confug
> >> > > files.
> >> > >
> >> > > Anyway, not all of my systems have every file in the list; and when I
> >> add
> >> > > the rules appropriate, either as a Watch (-w) rule or as an Action
> >> (-a)
> >> > > rule, the rules stop loading when the find a rule that has a file that
> >> > > doesn't exist *on that particular system*.
> >> > >
> >> > > This is the intended effect, yes?
> >> > >
> >> > > Thanks in advance,
> >> > > --------------------------
> >> > > Warron French
> >>
> >> - RGB
> >>
> >> --
> >> Richard Guy Briggs <rgb@redhat.com>
> >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> Remote, Ottawa, Red Hat Canada
> >> IRC: rgb, SunRaycer
> >> Voice: +1.647.777.2635, Internal: (81) 32635
> >>
> >
> >

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit