* rules.d on RHEL6
@ 2017-04-12 14:18 warron.french
2017-04-12 14:25 ` Bond Masuda
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: warron.french @ 2017-04-12 14:18 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 640 bytes --]
It appears that this directory is not used at all on RHEL6.
I know I have mentioned this before; but it's true. If I *move* my copy of
audit.rules from /etc/audit into the subdirectory rules.d and restart
audit; the audit.rules file is not recopied/regenerated or whatever by the
auditd.
This behavior is different from RHEL7; where if you delete the
/etc/audit/audit.rules file or move it to /etc/audit/rules.d/audit.rules;
the auditd functions as I expect.
Can someone please correct my understanding? Is the /etc/audit/rules.d
directory not supposed to be usable in RHEL6; but is in RHEL7?
--------------------------
Warron French
[-- Attachment #1.2: Type: text/html, Size: 1003 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: rules.d on RHEL6
2017-04-12 14:18 rules.d on RHEL6 warron.french
@ 2017-04-12 14:25 ` Bond Masuda
2017-04-12 14:33 ` Simon Sekidde
2017-04-12 15:51 ` Steve Grubb
2 siblings, 0 replies; 4+ messages in thread
From: Bond Masuda @ 2017-04-12 14:25 UTC (permalink / raw)
To: warron.french; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1178 bytes --]
There is a different default setting between rhel6 and 7. See /etc/default/auditd I think has a parameter that controls the use of /etc/audit/rules.d.
Sent from my mobile phone, please excuse the brevity.
On Apr 12, 2017, 7:19 AM, at 7:19 AM, "warron.french" <warron.french@gmail.com> wrote:
>It appears that this directory is not used at all on RHEL6.
>
>I know I have mentioned this before; but it's true. If I *move* my
>copy of
>audit.rules from /etc/audit into the subdirectory rules.d and restart
>audit; the audit.rules file is not recopied/regenerated or whatever by
>the
>auditd.
>
>This behavior is different from RHEL7; where if you delete the
>/etc/audit/audit.rules file or move it to
>/etc/audit/rules.d/audit.rules;
>the auditd functions as I expect.
>
>
>Can someone please correct my understanding? Is the /etc/audit/rules.d
>directory not supposed to be usable in RHEL6; but is in RHEL7?
>--------------------------
>Warron French
>
>
>------------------------------------------------------------------------
>
>--
>Linux-audit mailing list
>Linux-audit@redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 1870 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: rules.d on RHEL6
2017-04-12 14:18 rules.d on RHEL6 warron.french
2017-04-12 14:25 ` Bond Masuda
@ 2017-04-12 14:33 ` Simon Sekidde
2017-04-12 15:51 ` Steve Grubb
2 siblings, 0 replies; 4+ messages in thread
From: Simon Sekidde @ 2017-04-12 14:33 UTC (permalink / raw)
To: warron.french; +Cc: linux-audit
----- Original Message -----
> From: "warron.french" <warron.french@gmail.com>
> To: linux-audit@redhat.com
> Sent: Wednesday, April 12, 2017 10:18:55 AM
> Subject: rules.d on RHEL6
>
> It appears that this directory is not used at all on RHEL6.
>
> I know I have mentioned this before; but it's true. If I move my copy of
> audit.rules from /etc/audit into the subdirectory rules.d and restart audit;
> the audit.rules file is not recopied/regenerated or whatever by the auditd.
>
> This behavior is different from RHEL7; where if you delete the
> /etc/audit/audit.rules file or move it to /etc/audit/rules.d/audit.rules;
> the auditd functions as I expect.
>
>
> Can someone please correct my understanding? Is the /etc/audit/rules.d
> directory not supposed to be usable in RHEL6; but is in RHEL7?
Its usable but you have to run
# augenrules --load
Note that this will overwrite /etc/audit/audit.rules
> --------------------------
> Warron French
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
Solution Architect, NA Public Sector
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: rules.d on RHEL6
2017-04-12 14:18 rules.d on RHEL6 warron.french
2017-04-12 14:25 ` Bond Masuda
2017-04-12 14:33 ` Simon Sekidde
@ 2017-04-12 15:51 ` Steve Grubb
2 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2017-04-12 15:51 UTC (permalink / raw)
To: linux-audit
On Wednesday, April 12, 2017 10:18:55 AM EDT warron.french wrote:
> It appears that this directory is not used at all on RHEL6.
>
> I know I have mentioned this before; but it's true. If I *move* my copy of
> audit.rules from /etc/audit into the subdirectory rules.d and restart
> audit; the audit.rules file is not recopied/regenerated or whatever by the
> auditd.
>
> This behavior is different from RHEL7; where if you delete the
> /etc/audit/audit.rules file or move it to /etc/audit/rules.d/audit.rules;
> the auditd functions as I expect.
This is mostly correct. The issue with RHEL 6 is that the augenrules program
didn't exist when RHEL 6 was originally shipped. So, it would have been bad
and unexpected for the behavior to suddenly change during an update to a
shipped product. However, augenrules is useful and for anyone that wants to
use it on RHEL 6 they may do so by opting in.
If you read the text in /etc/sysconfig/auditd you will see an explanation of
how to enable augenrules.
-Steve
> Can someone please correct my understanding? Is the /etc/audit/rules.d
> directory not supposed to be usable in RHEL6; but is in RHEL7?
> --------------------------
> Warron French
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-04-12 15:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-12 14:18 rules.d on RHEL6 warron.french
2017-04-12 14:25 ` Bond Masuda
2017-04-12 14:33 ` Simon Sekidde
2017-04-12 15:51 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.