All, Has anyone considered allowing an includeConfig statement for audit.rules (or auditd.conf if need be)?
The action would be to, at that point in the parse (or the end of the file, if auditd.conf holds the directive), open the nominated directory and any files within, and parse them. The idea is to allow for localization of audit. At an enterprise level one would deploy the common, corporate set of rules in /etc/audit/audit.rules. Should a local system need additional rules such as tailored file watches, workstation or capability specific monitoring, these could appear in files in the includeConfig directory. That way, distribution mechanisms such as puppet, rpm satellite server, apt repositories, etc can maintain the corporate set of rules without changing localized configurations on updates. I'm happy to author this. Regards Burn Alting -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
