On Jul 31, 2014, at 9:58 AM, [email protected] wrote: >> On Jul 30, 2014, at 04:33 PM, Steve Grubb <[email protected]> wrote: >> >>> On Wednesday, July 30, 2014 08:21:45 PM Dan White wrote: >>>> Does the system allow for the import/include of groups of rules >>> in other >>>> files - like logrotate and /etc/logrotate.d/* ? >>> >>> No, but in 2.3 and later there is a /etc/audit/rules.d/ directory where >>> rules >>> can be dropped off. The augenrules utility will "compile" those into a >>> master >>> audit.rules file. You also have to enable augenrules by setting >>> USE_AUGENRULES="yes" in /etc/sysconfig/audit. that is about as close as >>> it >>> comes. >>> >>> -Steve >> >> Thanks for the quick answer. >> Any plans to release 2.3.x to RHEL 6 that can be shared ? > > I was able to "backport" this functionality to RHEL6 (and RHEL5) by doing > the following: > > - Steal the augenrules script from a Fedora or RHEL7 package > - Use my configuration management system to create and manage files in > /etc/audit/rules.d > - Schedule periodic runs of augenrules > > I didn't have to set USE_AUGENRULES (maybe because the older audit system > doesn't know to care?). It has been working very well for me as a way of > managing differences in audit rules on systems while still keeping things > centralized. > > --Ray >
Great idea. I may explore that. Thanks. “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
