> On Jul 30, 2014, at 04:33 PM, Steve Grubb <[email protected]> wrote: > >> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote: >> > Does the system allow for the import/include of groups of rules >> in other >> > files - like logrotate and /etc/logrotate.d/* ? >> >> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where >> rules >> can be dropped off. The augenrules utility will "compile" those into a >> master >> audit.rules file. You also have to enable augenrules by setting >> USE_AUGENRULES="yes" in /etc/sysconfig/audit. that is about as close as >> it >> comes. >> >> -Steve > > Thanks for the quick answer. > Any plans to release 2.3.x to RHEL 6 that can be shared ?
I was able to "backport" this functionality to RHEL6 (and RHEL5) by doing the following: - Steal the augenrules script from a Fedora or RHEL7 package - Use my configuration management system to create and manage files in /etc/audit/rules.d - Schedule periodic runs of augenrules I didn't have to set USE_AUGENRULES (maybe because the older audit system doesn't know to care?). It has been working very well for me as a way of managing differences in audit rules on systems while still keeping things centralized. --Ray -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
