Re: Monitoring files

Furthermore, where would I add the -i switch to a rule like this one: -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

?? -------------------------- Warron French On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french(a)gmail.com&gt; wrote: > Mr. Briggs/Rafi, > > I don't see the -i switch even mentioned in the manpage for audit.rules. > Is this a documented switch, or not yet a capability on Red Hat or CentOS > systems? > > Thanks in advance, > > -------------------------- > Warron French > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb(a)redhat.com&gt; > wrote: > >> On 2018-04-23 23:41, F Rafi wrote: >> > Adding a -i to the rules file should ignore any errors. >> >> At risk of feature creep, it might be nice to have a flag to ignore >> certain rules but not others, a way to tag individual rules with either >> a must, or a different tag with "ignore if not present" for file rules. >> >> > -Farhan >> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french(a)gmail.com&gt; >> wrote: >> > > Hi, I have a requirement to monitor a ton of files, executables and >> confug >> > > files. >> > > >> > > Anyway, not all of my systems have every file in the list; and when I >> add >> > > the rules appropriate, either as a Watch (-w) rule or as an Action >> (-a) >> > > rule, the rules stop loading when the find a rule that has a file that >> > > doesn't exist *on that particular system*. >> > > >> > > This is the intended effect, yes? >> > > >> > > Thanks in advance, >> > > -------------------------- >> > > Warron French >> >> - RGB >> >> -- >> Richard Guy Briggs <rgb(a)redhat.com&gt; >> Sr. S/W Engineer, Kernel Security, Base Operating Systems >> Remote, Ottawa, Red Hat Canada >> IRC: rgb, SunRaycer >> Voice: +1.647.777.2635, Internal: (81) 32635 >> > >