Hello, I'm a bit new with auditd so excuse me if this question has been already answered but I failed to find answers.
I'm in the process of replacing a FIM tool by auditd which is by far more powerful but I wanted to describe all possibles files and folders (or system calls) that I need to watch over in a generic audit.rules files that I would deploy on thousands of hosts. Unfortunately, I do not only watch over system-related files and folders but also applicative ones (eg custom path where some private keys are stored, etc) .. My problem is that these folders do not exists on all hosts thus making it impossible to write a generic audit.rules files. As I said, I have thousands of hosts and I can't imagine deploying different files on every hosts depending on the profile of the host. I know puppet could help me for this kind of stuff but I don't have it yet and even though, it would be difficult to configure. How do you guys usually workaround this issue ? I'm pretty sure I'm not the first one wanting to deploy a generic hardening across many hosts (but maybe I'm the only one using auditd to watch over something else than pure system-related stuff? Thanks, Florian -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
