Re: Adding multiple watch rules on same path
On Tue, Aug 22, 2006 at 11:51:14AM -0400, Steve Grubb wrote:
On the otherhand, suppose you wrote a system that dynamically alters
the audit
rules. You could use the keyfield to identify those rules so that you do not
have to think about baseline rules the admin may have in place. IOW, you can
issue another rule to watch /etc/shadow for writes without checking to see if
it already exists. Also, you can delete the rule without worry that you are
deleting something the admin wants there as baseline.
I think it's useful to keep it, especially if it already works now. A
file may need auditing for multiple overlapping reasons, and it's nice to
get consistent results in that case.
It's a feature beyond what CAPP/LSPP requires and it's only available to
admins, so there is no need to specifically test these combinations if
you're just going for CC compliance.
-Klaus