On Wed, 25 Apr 2018 13:01:11 -0400 "warron.french" <[email protected]> wrote:
> Thanks *F Rafi.* > > *Steve*, does the "-i" flag go on a line simply by itself? Yes. Just like the -D at the top of the rules. > And so the benefit of this switch is that for rules applied through > the audit.rules file; that are monitoring files - wherein the files > are not on the system will do which: > 1. Not load the rule, skip to the next rule and load it if possible? Yes > 2. Load the rule, but will simply not indicate an error at all? > > Therefore all rules that can be loaded will be loaded (if the files > are in place) and those that don't actually have their files to > monitor will simply not be added to the chain of rules? Yes. Note that there is also a '-c' rule that will continue loading and then give you a summary yes/no. Yes all rules loaded, No one or more rules did not load. The '-i' will always report success. -Steve > -------------------------- > Warron French > > > On Wed, Apr 25, 2018 at 10:06 AM, F Rafi <[email protected]> wrote: > > > Warron, > > > > > Furthermore, where would I add the -i switch to a rule like this > > > one: > > > > You basically put a "-i" on a separate line by itself afaik > > somewhere at the top of the audit rules file. All the rules below > > the -i line will not cause a load failure (Steve and RGB can > > confirm). > > > > Farhan > > > > On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <[email protected]> > > wrote: > >> On 2018-04-24 18:04, warron.french wrote: > >> > Furthermore, where would I add the -i switch to a rule like this > >> > one: > >> > > >> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F > >> > auid>=1000 -F auid!=4294967295 -k privileged > >> > >> I'm not aware of any per-rule switches to permit failure to load > >> to be non-fatal. I was suggesting it might help in your situation > >> to add such a feature, but I think the better solution is a > >> customized rule set for each machine or type of machine. > >> > >> > ?? > >> > > >> > -------------------------- > >> > Warron French > >> > > >> > > >> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french > >> > <[email protected] > >> > > >> > wrote: > >> > > >> > > Mr. Briggs/Rafi, > >> > > > >> > > I don't see the -i switch even mentioned in the manpage for > >> audit.rules. > >> > > Is this a documented switch, or not yet a capability on Red > >> > > Hat or > >> CentOS > >> > > systems? > >> > > > >> > > Thanks in advance, > >> > > > >> > > -------------------------- > >> > > Warron French > >> > > > >> > > > >> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs > >> > > <[email protected]> wrote: > >> > > > >> > >> On 2018-04-23 23:41, F Rafi wrote: > >> > >> > Adding a -i to the rules file should ignore any errors. > >> > >> > >> > >> At risk of feature creep, it might be nice to have a flag to > >> > >> ignore certain rules but not others, a way to tag individual > >> > >> rules with > >> either > >> > >> a must, or a different tag with "ignore if not present" for > >> > >> file > >> rules. > >> > >> > >> > >> > -Farhan > >> > >> > > >> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french < > >> [email protected]> > >> > >> wrote: > >> > >> > > Hi, I have a requirement to monitor a ton of files, > >> > >> > > executables > >> and > >> > >> confug > >> > >> > > files. > >> > >> > > > >> > >> > > Anyway, not all of my systems have every file in the > >> > >> > > list; and > >> when I > >> > >> add > >> > >> > > the rules appropriate, either as a Watch (-w) rule or as > >> > >> > > an > >> Action > >> > >> (-a) > >> > >> > > rule, the rules stop loading when the find a rule that > >> > >> > > has a > >> file that > >> > >> > > doesn't exist *on that particular system*. > >> > >> > > > >> > >> > > This is the intended effect, yes? > >> > >> > > > >> > >> > > Thanks in advance, > >> > >> > > -------------------------- > >> > >> > > Warron French > >> > >> > >> > >> - RGB > >> > >> > >> > >> -- > >> > >> Richard Guy Briggs <[email protected]> > >> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems > >> > >> Remote, Ottawa, Red Hat Canada > >> > >> IRC: rgb, SunRaycer > >> > >> Voice: +1.647.777.2635, Internal: (81) 32635 > >> > >> > >> > > > >> > > > >> > >> - RGB > >> > >> -- > >> Richard Guy Briggs <[email protected]> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems > >> Remote, Ottawa, Red Hat Canada > >> IRC: rgb, SunRaycer > >> Voice: +1.647.777.2635, Internal: (81) 32635 > >> > >> -- > >> Linux-audit mailing list > >> [email protected] > >> https://www.redhat.com/mailman/listinfo/linux-audit > >> > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
