Re: audit.rules file [Was: audit 2.3 released]

Le Wed, 01 May 2013 10:29:07 -0400, Steve Grubb <sgrubb(a)redhat.com&gt; a écrit : > Hi, Hello, [...] > > Several people have asked for a way to deposit rules into a directory > so that based on what is installed, rules can also be added. This > makes it easier to have a core system that gets packages, config, and > files added to make it a different kind of server or desktop. My > guess is that it will be mostly used to add watches on setuid apps > which can differ from machine type to machine type. > > The place where these rules are stored is /etc/audit/rules.d. > Compiling rules from that directory will result in a new file being > written to /etc/audit/audit.rules. That means it can overwrite > existing rules. Since we don't want that to happen by accident, > augenrules is disabled by default. [...] The make install rule is now installing audit.rules in the /etc/audit/rules.d directory. What would happen on fresh installation if augenrules call is disabled and that /etc/audit/audit.rules is not existing? Will /etc/audit/rules.d/audit.rules be called as a fallback? Or should distributions take care of shipping both /etc/audit/audit.rules and /etc/audit/rules.d/audit.rules? What do you think? Cheers Laurent Bigonville -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit