adding rules after setting rules immutable

adding rules after setting rules immutable

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 762 bytes --]

While working with RHEL-6 and RHEL-7 systems, and understanding that you
can set rules to immutable by adding *-e 2* to the end of the audit.rules
file(s)  I realized something.


If I want to add rules to a system due to new IT Governance, I might have
to reboot every machine that gets the newly added rules.


Is this true, or can I get away with simply executing, on both versions of
RHEL (6 and 7):
augenrules --check
augenrules --load


I ask, because I want to write some puppet code that is smart enough to
ensure the rules are put into place.  Do I really have to reboot a server
in the middle of a work day or can I work around it with the use of the
*augenrules* commands as listed above?


Thanks in advance,
--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 1225 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: adding rules after setting rules immutable

[Steve Grubb]

On Thursday, September 8, 2016 9:42:09 AM EDT warron.french wrote:
> While working with RHEL-6 and RHEL-7 systems, and understanding that you
> can set rules to immutable by adding *-e 2* to the end of the audit.rules
> file(s)  I realized something.
> 
> If I want to add rules to a system due to new IT Governance, I might have
> to reboot every machine that gets the newly added rules.

Yes, you need to reboot. This is what immutable means - no changes allowed 
during runtime.


> Is this true, or can I get away with simply executing, on both versions of
> RHEL (6 and 7):
> augenrules --check
> augenrules --load

These will fail.


> I ask, because I want to write some puppet code that is smart enough to
> ensure the rules are put into place.  Do I really have to reboot a server
> in the middle of a work day or can I work around it with the use of the
> *augenrules* commands as listed above?

This is what immutable does. If you need flexibility to change rules at will, 
then you should comment out or delete the -e 2 at the end.

-Steve

Re: adding rules after setting rules immutable

[Richard Guy Briggs]

On 2016-09-08 09:52, Steve Grubb wrote:
> On Thursday, September 8, 2016 9:42:09 AM EDT warron.french wrote:
> > While working with RHEL-6 and RHEL-7 systems, and understanding that you
> > can set rules to immutable by adding *-e 2* to the end of the audit.rules
> > file(s)  I realized something.
> > 
> > If I want to add rules to a system due to new IT Governance, I might have
> > to reboot every machine that gets the newly added rules.
> 
> Yes, you need to reboot. This is what immutable means - no changes allowed 
> during runtime.
> 
> > Is this true, or can I get away with simply executing, on both versions of
> > RHEL (6 and 7):
> > augenrules --check
> > augenrules --load
> 
> These will fail.

Warron, it isn't userspace that is gating this.  Once immutable is set,
the kernel simply stops listening to any changes requested.  Once
userspace invokes this command, it is powerless to change it until the
next boot.

> > I ask, because I want to write some puppet code that is smart enough to
> > ensure the rules are put into place.  Do I really have to reboot a server
> > in the middle of a work day or can I work around it with the use of the
> > *augenrules* commands as listed above?
> 
> This is what immutable does. If you need flexibility to change rules at will, 
> then you should comment out or delete the -e 2 at the end.
> 
> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635