audit.rules file [Was: audit 2.3 released]
Le Wed, 01 May 2013 10:29:07 -0400,
Steve Grubb <sgrubb(a)redhat.com> a écrit :
Hi,
Hello,
[...]
Several people have asked for a way to deposit rules into a directory
so that based on what is installed, rules can also be added. This
makes it easier to have a core system that gets packages, config, and
files added to make it a different kind of server or desktop. My
guess is that it will be mostly used to add watches on setuid apps
which can differ from machine type to machine type.
The place where these rules are stored is /etc/audit/rules.d.
Compiling rules from that directory will result in a new file being
written to /etc/audit/audit.rules. That means it can overwrite
existing rules. Since we don't want that to happen by accident,
augenrules is disabled by default.
[...]
The make install rule is now installing audit.rules in
the /etc/audit/rules.d directory.
What would happen on fresh installation if augenrules call is disabled
and that /etc/audit/audit.rules is not existing?
Will /etc/audit/rules.d/audit.rules be called as a fallback? Or should
distributions take care of shipping both /etc/audit/audit.rules
and /etc/audit/rules.d/audit.rules?
What do you think?
Cheers
Laurent Bigonville