On Wed, 25 Apr 2018 13:01:11 -0400
"warron.french" <warron.french(a)gmail.com> wrote:
Thanks *F Rafi.*
*Steve*, does the "-i" flag go on a line simply by itself?
Yes. Just like the -D at the top of the rules.
And so the benefit of this switch is that for rules applied through
the audit.rules file; that are monitoring files - wherein the files
are not on the system will do which:
1. Not load the rule, skip to the next rule and load it if possible?
Yes
2. Load the rule, but will simply not indicate an error at all?
Therefore all rules that can be loaded will be loaded (if the files
are in place) and those that don't actually have their files to
monitor will simply not be added to the chain of rules?
Yes. Note that there is also a '-c' rule that will continue loading and
then give you a summary yes/no. Yes all rules loaded, No one or more
rules did not load. The '-i' will always report success.
-Steve
--------------------------
Warron French
On Wed, Apr 25, 2018 at 10:06 AM, F Rafi <farhanible(a)gmail.com> wrote:
> Warron,
>
> > Furthermore, where would I add the -i switch to a rule like this
> > one:
>
> You basically put a "-i" on a separate line by itself afaik
> somewhere at the top of the audit rules file. All the rules below
> the -i line will not cause a load failure (Steve and RGB can
> confirm).
>
> Farhan
>
> On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb(a)redhat.com>
> wrote:
>> On 2018-04-24 18:04, warron.french wrote:
>> > Furthermore, where would I add the -i switch to a rule like this
>> > one:
>> >
>> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F
>> > auid>=1000 -F auid!=4294967295 -k privileged
>>
>> I'm not aware of any per-rule switches to permit failure to load
>> to be non-fatal. I was suggesting it might help in your situation
>> to add such a feature, but I think the better solution is a
>> customized rule set for each machine or type of machine.
>>
>> > ??
>> >
>> > --------------------------
>> > Warron French
>> >
>> >
>> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french
>> > <warron.french(a)gmail.com
>> >
>> > wrote:
>> >
>> > > Mr. Briggs/Rafi,
>> > >
>> > > I don't see the -i switch even mentioned in the manpage for
>> audit.rules.
>> > > Is this a documented switch, or not yet a capability on Red
>> > > Hat or
>> CentOS
>> > > systems?
>> > >
>> > > Thanks in advance,
>> > >
>> > > --------------------------
>> > > Warron French
>> > >
>> > >
>> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs
>> > > <rgb(a)redhat.com> wrote:
>> > >
>> > >> On 2018-04-23 23:41, F Rafi wrote:
>> > >> > Adding a -i to the rules file should ignore any errors.
>> > >>
>> > >> At risk of feature creep, it might be nice to have a flag to
>> > >> ignore certain rules but not others, a way to tag individual
>> > >> rules with
>> either
>> > >> a must, or a different tag with "ignore if not present"
for
>> > >> file
>> rules.
>> > >>
>> > >> > -Farhan
>> > >> >
>> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
>> warron.french(a)gmail.com>
>> > >> wrote:
>> > >> > > Hi, I have a requirement to monitor a ton of files,
>> > >> > > executables
>> and
>> > >> confug
>> > >> > > files.
>> > >> > >
>> > >> > > Anyway, not all of my systems have every file in the
>> > >> > > list; and
>> when I
>> > >> add
>> > >> > > the rules appropriate, either as a Watch (-w) rule or
as
>> > >> > > an
>> Action
>> > >> (-a)
>> > >> > > rule, the rules stop loading when the find a rule that
>> > >> > > has a
>> file that
>> > >> > > doesn't exist *on that particular system*.
>> > >> > >
>> > >> > > This is the intended effect, yes?
>> > >> > >
>> > >> > > Thanks in advance,
>> > >> > > --------------------------
>> > >> > > Warron French
>> > >>
>> > >> - RGB
>> > >>
>> > >> --
>> > >> Richard Guy Briggs <rgb(a)redhat.com>
>> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> > >> Remote, Ottawa, Red Hat Canada
>> > >> IRC: rgb, SunRaycer
>> > >> Voice: +1.647.777.2635, Internal: (81) 32635
>> > >>
>> > >
>> > >
>>
>> - RGB
>>
>> --
>> Richard Guy Briggs <rgb(a)redhat.com>
>> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> Remote, Ottawa, Red Hat Canada
>> IRC: rgb, SunRaycer
>> Voice: +1.647.777.2635, Internal: (81) 32635
>>
>> --
>> Linux-audit mailing list
>> Linux-audit(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/linux-audit
>>
>