Steve, I will make the changes on the weekend and re-submit.
Rgds On Thu, 2013-04-18 at 09:49 -0400, Steve Grubb wrote: > On Sunday, April 07, 2013 09:16:46 PM Burn Alting wrote: > > Please find attached my patch on this matter. > > Thanks for taking this on. > > > > I essence, /etc/audit/audit.rules is now formed from files (.rules > > suffixed) within /etc/audit/rules.d. The new script /sbin/augenrules is > > executed by from either startup script, /etc/init.d/auditd > > or /usr/lib/systemd/system/auditd.service before calling auditctl. > > One issue that I am concerned about is how this feature gets added to > existing > setups. For example, someone may have a /etc/audit/audit.rules file, then > upgrade and if there is an empty shipped policy in /etc/audit/audit.d, it > will > erase the installed rules. > > So, I think we should have an /etc/sysconfig option that enables augenrules > so > that an admin has to do something to turn this on thus preventing automatic > deletion of rules. > > For systemd, I think we want to ship the service file with the ExecStartPost > line commented out which then requires an admin to take an action to enable. > We really don't want unexpected things to happen during an upgrade. > > > > The generated file ensures > > - the last processed -D directive without an option, if present, is > > emitted on the first line > > In generating rules, we should always start with -D. I can't imagine not > having it. > > > - the last processed -b directive, if present, is emitted on the second > > line > > We probably want the largest in all the processed files. > > > > - the last processed -f directive, if present, is emitted on the third > > line > > We probably want the largest here, too. > > > - the last processed -e directive, if present, is emitted as the last > > line. > > I was thinking that if any of the files try to ask for it to be immutable, > then > it should go at the end. > > > The file, /etc/audit/audit.rules, is only updated if it has changed. > > > https://www.redhat.com/mailman/listinfo/linux-audit > > That is great, because any write could be an auditable event. At some point > we > also might want to add support for a --check option which does everything > except overwrite the final rules. > > -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
