Monitoring files

Monitoring files

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 439 bytes --]

Hi, I have a requirement to monitor a ton of files, executables and confug
files.

Anyway, not all of my systems have every file in the list; and when I add
the rules appropriate, either as a Watch (-w) rule or as an Action (-a)
rule, the rules stop loading when the find a rule that has a file that
doesn't exist *on that particular system*.

This is the intended effect, yes?

Thanks in advance,
--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 776 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Monitoring files

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 726 bytes --]

Adding a -i to the rules file should ignore any errors.

-Farhan

On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french@gmail.com>
wrote:

> Hi, I have a requirement to monitor a ton of files, executables and confug
> files.
>
> Anyway, not all of my systems have every file in the list; and when I add
> the rules appropriate, either as a Watch (-w) rule or as an Action (-a)
> rule, the rules stop loading when the find a rule that has a file that
> doesn't exist *on that particular system*.
>
> This is the intended effect, yes?
>
> Thanks in advance,
> --------------------------
> Warron French
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 1539 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Monitoring files

[Richard Guy Briggs]

On 2018-04-23 23:41, F Rafi wrote:
> Adding a -i to the rules file should ignore any errors.

At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with either
a must, or a different tag with "ignore if not present" for file rules.

> -Farhan
> 
> On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french@gmail.com> wrote:
> > Hi, I have a requirement to monitor a ton of files, executables and confug
> > files.
> >
> > Anyway, not all of my systems have every file in the list; and when I add
> > the rules appropriate, either as a Watch (-w) rule or as an Action (-a)
> > rule, the rules stop loading when the find a rule that has a file that
> > doesn't exist *on that particular system*.
> >
> > This is the intended effect, yes?
> >
> > Thanks in advance,
> > --------------------------
> > Warron French

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: Monitoring files

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 2326 bytes --]

 Mr. Briggs/Rafi,

I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?

Thanks in advance,


--------------------------
Warron French


On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs <rgb@redhat.com> wrote:

> On 2018-04-24 18:03, warron.french wrote:
> > Mr. Briggs/Rafi,
>
> I think you forgot to reply to the list (preferred) and/or Rafi.
>
> > I don't see the -i switch even mentioned in the manpage for audit.rules.
> > Is this a documented switch, or not yet a capability on Red Hat or CentOS
> > systems?
> >
> > Thanks in advance,
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> wrote:
> >
> > > On 2018-04-23 23:41, F Rafi wrote:
> > > > Adding a -i to the rules file should ignore any errors.
> > >
> > > At risk of feature creep, it might be nice to have a flag to ignore
> > > certain rules but not others, a way to tag individual rules with either
> > > a must, or a different tag with "ignore if not present" for file rules.
> > >
> > > > -Farhan
> > > >
> > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> warron.french@gmail.com>
> > > wrote:
> > > > > Hi, I have a requirement to monitor a ton of files, executables and
> > > confug
> > > > > files.
> > > > >
> > > > > Anyway, not all of my systems have every file in the list; and
> when I
> > > add
> > > > > the rules appropriate, either as a Watch (-w) rule or as an Action
> (-a)
> > > > > rule, the rules stop loading when the find a rule that has a file
> that
> > > > > doesn't exist *on that particular system*.
> > > > >
> > > > > This is the intended effect, yes?
> > > > >
> > > > > Thanks in advance,
> > > > > --------------------------
> > > > > Warron French
> > >
> > > - RGB
> > >
> > > --
> > > Richard Guy Briggs <rgb@redhat.com>
> > > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > Remote, Ottawa, Red Hat Canada
> > > IRC: rgb, SunRaycer
> > > Voice: +1.647.777.2635, Internal: (81) 32635
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>

[-- Attachment #1.2: Type: text/html, Size: 5558 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Monitoring files

[Steve Grubb]

On Tuesday, April 24, 2018 7:45:15 PM EDT warron.french wrote:
>  Mr. Briggs/Rafi,
> 
> I don't see the -i switch even mentioned in the manpage for audit.rules.
> Is this a documented switch, or not yet a capability on Red Hat or CentOS
> systems?

All audit commands are documented in the auditctl man page. When rules load, 
auditctl processes them as if you typed them in one by one via auditctl. Its 
just that you do not need to type auditctl on each line of the rules.

-Stev

> --------------------------
> Warron French
> 
> On Tue, Apr 24, 2018 at 6:31 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2018-04-24 18:03, warron.french wrote:
> > > Mr. Briggs/Rafi,
> > 
> > I think you forgot to reply to the list (preferred) and/or Rafi.
> > 
> > > I don't see the -i switch even mentioned in the manpage for
> > > audit.rules.
> > > Is this a documented switch, or not yet a capability on Red Hat or
> > > CentOS
> > > systems?
> > > 
> > > Thanks in advance,
> > > 
> > > --------------------------
> > > Warron French
> > > 
> > > 
> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > 
> > wrote:
> > > > On 2018-04-23 23:41, F Rafi wrote:
> > > > > Adding a -i to the rules file should ignore any errors.
> > > > 
> > > > At risk of feature creep, it might be nice to have a flag to ignore
> > > > certain rules but not others, a way to tag individual rules with
> > > > either
> > > > a must, or a different tag with "ignore if not present" for file
> > > > rules.
> > > > 
> > > > > -Farhan
> > > > > 
> > > > > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> > 
> > warron.french@gmail.com>
> > 
> > > > wrote:
> > > > > > Hi, I have a requirement to monitor a ton of files, executables
> > > > > > and
> > > > 
> > > > confug
> > > > 
> > > > > > files.
> > > > > > 
> > > > > > Anyway, not all of my systems have every file in the list; and
> > 
> > when I
> > 
> > > > add
> > > > 
> > > > > > the rules appropriate, either as a Watch (-w) rule or as an
> > > > > > Action
> > 
> > (-a)
> > 
> > > > > > rule, the rules stop loading when the find a rule that has a file
> > 
> > that
> > 
> > > > > > doesn't exist *on that particular system*.
> > > > > > 
> > > > > > This is the intended effect, yes?
> > > > > > 
> > > > > > Thanks in advance,
> > > > > > --------------------------
> > > > > > Warron French
> > > > 
> > > > - RGB
> > > > 
> > > > --
> > > > Richard Guy Briggs <rgb@redhat.com>
> > > > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > > Remote, Ottawa, Red Hat Canada
> > > > IRC: rgb, SunRaycer
> > > > Voice: +1.647.777.2635, Internal: (81) 32635
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635

Re: Monitoring files

[Richard Guy Briggs]

On 2018-04-24 18:04, warron.french wrote:
> Furthermore, where would I add the -i switch to a rule like this one:
> 
> -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> auid!=4294967295 -k privileged

I'm not aware of any per-rule switches to permit failure to load to be
non-fatal.  I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.

> ??
> 
> --------------------------
> Warron French
> 
> 
> On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french@gmail.com>
> wrote:
> 
> > Mr. Briggs/Rafi,
> >
> > I don't see the -i switch even mentioned in the manpage for audit.rules.
> > Is this a documented switch, or not yet a capability on Red Hat or CentOS
> > systems?
> >
> > Thanks in advance,
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > wrote:
> >
> >> On 2018-04-23 23:41, F Rafi wrote:
> >> > Adding a -i to the rules file should ignore any errors.
> >>
> >> At risk of feature creep, it might be nice to have a flag to ignore
> >> certain rules but not others, a way to tag individual rules with either
> >> a must, or a different tag with "ignore if not present" for file rules.
> >>
> >> > -Farhan
> >> >
> >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.french@gmail.com>
> >> wrote:
> >> > > Hi, I have a requirement to monitor a ton of files, executables and
> >> confug
> >> > > files.
> >> > >
> >> > > Anyway, not all of my systems have every file in the list; and when I
> >> add
> >> > > the rules appropriate, either as a Watch (-w) rule or as an Action
> >> (-a)
> >> > > rule, the rules stop loading when the find a rule that has a file that
> >> > > doesn't exist *on that particular system*.
> >> > >
> >> > > This is the intended effect, yes?
> >> > >
> >> > > Thanks in advance,
> >> > > --------------------------
> >> > > Warron French
> >>
> >> - RGB
> >>
> >> --
> >> Richard Guy Briggs <rgb@redhat.com>
> >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> Remote, Ottawa, Red Hat Canada
> >> IRC: rgb, SunRaycer
> >> Voice: +1.647.777.2635, Internal: (81) 32635
> >>
> >
> >

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: Monitoring files

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 2950 bytes --]

Steve, I did a search on the manpage for auditctl and there was no
references to any -i switch;
   of course it could be because the version we are on might be too old in
comparison.


--------------------------
Warron French


On Tue, Apr 24, 2018 at 8:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:

> On 2018-04-24 18:04, warron.french wrote:
> > Furthermore, where would I add the -i switch to a rule like this one:
> >
> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> > auid!=4294967295 -k privileged
>
> I'm not aware of any per-rule switches to permit failure to load to be
> non-fatal.  I was suggesting it might help in your situation to add such
> a feature, but I think the better solution is a customized rule set for
> each machine or type of machine.
>
> > ??
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french@gmail.com>
> > wrote:
> >
> > > Mr. Briggs/Rafi,
> > >
> > > I don't see the -i switch even mentioned in the manpage for
> audit.rules.
> > > Is this a documented switch, or not yet a capability on Red Hat or
> CentOS
> > > systems?
> > >
> > > Thanks in advance,
> > >
> > > --------------------------
> > > Warron French
> > >
> > >
> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > > wrote:
> > >
> > >> On 2018-04-23 23:41, F Rafi wrote:
> > >> > Adding a -i to the rules file should ignore any errors.
> > >>
> > >> At risk of feature creep, it might be nice to have a flag to ignore
> > >> certain rules but not others, a way to tag individual rules with
> either
> > >> a must, or a different tag with "ignore if not present" for file
> rules.
> > >>
> > >> > -Farhan
> > >> >
> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> warron.french@gmail.com>
> > >> wrote:
> > >> > > Hi, I have a requirement to monitor a ton of files, executables
> and
> > >> confug
> > >> > > files.
> > >> > >
> > >> > > Anyway, not all of my systems have every file in the list; and
> when I
> > >> add
> > >> > > the rules appropriate, either as a Watch (-w) rule or as an Action
> > >> (-a)
> > >> > > rule, the rules stop loading when the find a rule that has a file
> that
> > >> > > doesn't exist *on that particular system*.
> > >> > >
> > >> > > This is the intended effect, yes?
> > >> > >
> > >> > > Thanks in advance,
> > >> > > --------------------------
> > >> > > Warron French
> > >>
> > >> - RGB
> > >>
> > >> --
> > >> Richard Guy Briggs <rgb@redhat.com>
> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > >> Remote, Ottawa, Red Hat Canada
> > >> IRC: rgb, SunRaycer
> > >> Voice: +1.647.777.2635, Internal: (81) 32635
> > >>
> > >
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>

[-- Attachment #1.2: Type: text/html, Size: 4693 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Monitoring files

[Steve Grubb]

On Tuesday, April 24, 2018 9:12:49 PM EDT warron.french wrote:
> Steve, I did a search on the manpage for auditctl and there was no
> references to any -i switch;
>    of course it could be because the version we are on might be too old in
> comparison.

This is what the auditctl man page says from audit-1.0.16:

-i     Ignore errors when reading rules from a file

I hope you are not using anything less than that.

-Steve


> On Tue, Apr 24, 2018 at 8:43 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2018-04-24 18:04, warron.french wrote:
> > > Furthermore, where would I add the -i switch to a rule like this one:
> > > 
> > > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> > > auid!=4294967295 -k privileged
> > 
> > I'm not aware of any per-rule switches to permit failure to load to be
> > non-fatal.  I was suggesting it might help in your situation to add such
> > a feature, but I think the better solution is a customized rule set for
> > each machine or type of machine.
> > 
> > > ??
> > > 
> > > --------------------------
> > > Warron French
> > > 
> > > 
> > > On Tue, Apr 24, 2018 at 6:03 PM, warron.french
> > > <warron.french@gmail.com>
> > > 
> > > wrote:
> > > > Mr. Briggs/Rafi,
> > > > 
> > > > I don't see the -i switch even mentioned in the manpage for
> > 
> > audit.rules.
> > 
> > > > Is this a documented switch, or not yet a capability on Red Hat or
> > 
> > CentOS
> > 
> > > > systems?
> > > > 
> > > > Thanks in advance,
> > > > 
> > > > --------------------------
> > > > Warron French
> > > > 
> > > > 
> > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > > > 
> > > > wrote:
> > > >> On 2018-04-23 23:41, F Rafi wrote:
> > > >> > Adding a -i to the rules file should ignore any errors.
> > > >> 
> > > >> At risk of feature creep, it might be nice to have a flag to ignore
> > > >> certain rules but not others, a way to tag individual rules with
> > 
> > either
> > 
> > > >> a must, or a different tag with "ignore if not present" for file
> > 
> > rules.
> > 
> > > >> > -Farhan
> > > >> > 
> > > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> > 
> > warron.french@gmail.com>
> > 
> > > >> wrote:
> > > >> > > Hi, I have a requirement to monitor a ton of files, executables
> > 
> > and
> > 
> > > >> confug
> > > >> 
> > > >> > > files.
> > > >> > > 
> > > >> > > Anyway, not all of my systems have every file in the list; and
> > 
> > when I
> > 
> > > >> add
> > > >> 
> > > >> > > the rules appropriate, either as a Watch (-w) rule or as an
> > > >> > > Action
> > > >> 
> > > >> (-a)
> > > >> 
> > > >> > > rule, the rules stop loading when the find a rule that has a
> > > >> > > file
> > 
> > that
> > 
> > > >> > > doesn't exist *on that particular system*.
> > > >> > > 
> > > >> > > This is the intended effect, yes?
> > > >> > > 
> > > >> > > Thanks in advance,
> > > >> > > --------------------------
> > > >> > > Warron French
> > > >> 
> > > >> - RGB
> > > >> 
> > > >> --
> > > >> Richard Guy Briggs <rgb@redhat.com>
> > > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > > >> Remote, Ottawa, Red Hat Canada
> > > >> IRC: rgb, SunRaycer
> > > >> Voice: +1.647.777.2635, Internal: (81) 32635
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > Remote, Ottawa, Red Hat Canada
> > IRC: rgb, SunRaycer
> > Voice: +1.647.777.2635, Internal: (81) 32635

Re: Monitoring files

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 3122 bytes --]

Warron,

> Furthermore, where would I add the -i switch to a rule like this one:

You basically put a "-i" on a separate line by itself afaik somewhere at
the top of the audit rules file. All the rules below the -i line will not
cause a load failure (Steve and RGB can confirm).

Farhan

On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb@redhat.com> wrote:

> On 2018-04-24 18:04, warron.french wrote:
> > Furthermore, where would I add the -i switch to a rule like this one:
> >
> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
> > auid!=4294967295 -k privileged
>
> I'm not aware of any per-rule switches to permit failure to load to be
> non-fatal.  I was suggesting it might help in your situation to add such
> a feature, but I think the better solution is a customized rule set for
> each machine or type of machine.
>
> > ??
> >
> > --------------------------
> > Warron French
> >
> >
> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french@gmail.com>
> > wrote:
> >
> > > Mr. Briggs/Rafi,
> > >
> > > I don't see the -i switch even mentioned in the manpage for
> audit.rules.
> > > Is this a documented switch, or not yet a capability on Red Hat or
> CentOS
> > > systems?
> > >
> > > Thanks in advance,
> > >
> > > --------------------------
> > > Warron French
> > >
> > >
> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
> > > wrote:
> > >
> > >> On 2018-04-23 23:41, F Rafi wrote:
> > >> > Adding a -i to the rules file should ignore any errors.
> > >>
> > >> At risk of feature creep, it might be nice to have a flag to ignore
> > >> certain rules but not others, a way to tag individual rules with
> either
> > >> a must, or a different tag with "ignore if not present" for file
> rules.
> > >>
> > >> > -Farhan
> > >> >
> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
> warron.french@gmail.com>
> > >> wrote:
> > >> > > Hi, I have a requirement to monitor a ton of files, executables
> and
> > >> confug
> > >> > > files.
> > >> > >
> > >> > > Anyway, not all of my systems have every file in the list; and
> when I
> > >> add
> > >> > > the rules appropriate, either as a Watch (-w) rule or as an Action
> > >> (-a)
> > >> > > rule, the rules stop loading when the find a rule that has a file
> that
> > >> > > doesn't exist *on that particular system*.
> > >> > >
> > >> > > This is the intended effect, yes?
> > >> > >
> > >> > > Thanks in advance,
> > >> > > --------------------------
> > >> > > Warron French
> > >>
> > >> - RGB
> > >>
> > >> --
> > >> Richard Guy Briggs <rgb@redhat.com>
> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> > >> Remote, Ottawa, Red Hat Canada
> > >> IRC: rgb, SunRaycer
> > >> Voice: +1.647.777.2635, Internal: (81) 32635
> > >>
> > >
> > >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 4829 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Monitoring files

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 3969 bytes --]

Thanks *F Rafi.*

*Steve*, does the "-i" flag go on a line simply by itself?

And so the benefit of this switch is that for rules applied through the
audit.rules file; that are monitoring files - wherein the files are not on
the system will do which:
1.  Not load the rule, skip to the next rule and load it if possible?
2. Load the rule, but will simply not indicate an error at all?

Therefore all rules that can be loaded will be loaded (if the files are in
place) and those that don't actually have their files to monitor will
simply not be added to the chain of rules?


Thanks for the explanation,



--------------------------
Warron French


On Wed, Apr 25, 2018 at 10:06 AM, F Rafi <farhanible@gmail.com> wrote:

> Warron,
>
> > Furthermore, where would I add the -i switch to a rule like this one:
>
> You basically put a "-i" on a separate line by itself afaik somewhere at
> the top of the audit rules file. All the rules below the -i line will not
> cause a load failure (Steve and RGB can confirm).
>
> Farhan
>
> On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb@redhat.com> wrote:
>
>> On 2018-04-24 18:04, warron.french wrote:
>> > Furthermore, where would I add the -i switch to a rule like this one:
>> >
>> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
>> > auid!=4294967295 -k privileged
>>
>> I'm not aware of any per-rule switches to permit failure to load to be
>> non-fatal.  I was suggesting it might help in your situation to add such
>> a feature, but I think the better solution is a customized rule set for
>> each machine or type of machine.
>>
>> > ??
>> >
>> > --------------------------
>> > Warron French
>> >
>> >
>> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.french@gmail.com
>> >
>> > wrote:
>> >
>> > > Mr. Briggs/Rafi,
>> > >
>> > > I don't see the -i switch even mentioned in the manpage for
>> audit.rules.
>> > > Is this a documented switch, or not yet a capability on Red Hat or
>> CentOS
>> > > systems?
>> > >
>> > > Thanks in advance,
>> > >
>> > > --------------------------
>> > > Warron French
>> > >
>> > >
>> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <rgb@redhat.com>
>> > > wrote:
>> > >
>> > >> On 2018-04-23 23:41, F Rafi wrote:
>> > >> > Adding a -i to the rules file should ignore any errors.
>> > >>
>> > >> At risk of feature creep, it might be nice to have a flag to ignore
>> > >> certain rules but not others, a way to tag individual rules with
>> either
>> > >> a must, or a different tag with "ignore if not present" for file
>> rules.
>> > >>
>> > >> > -Farhan
>> > >> >
>> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
>> warron.french@gmail.com>
>> > >> wrote:
>> > >> > > Hi, I have a requirement to monitor a ton of files, executables
>> and
>> > >> confug
>> > >> > > files.
>> > >> > >
>> > >> > > Anyway, not all of my systems have every file in the list; and
>> when I
>> > >> add
>> > >> > > the rules appropriate, either as a Watch (-w) rule or as an
>> Action
>> > >> (-a)
>> > >> > > rule, the rules stop loading when the find a rule that has a
>> file that
>> > >> > > doesn't exist *on that particular system*.
>> > >> > >
>> > >> > > This is the intended effect, yes?
>> > >> > >
>> > >> > > Thanks in advance,
>> > >> > > --------------------------
>> > >> > > Warron French
>> > >>
>> > >> - RGB
>> > >>
>> > >> --
>> > >> Richard Guy Briggs <rgb@redhat.com>
>> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> > >> Remote, Ottawa, Red Hat Canada
>> > >> IRC: rgb, SunRaycer
>> > >> Voice: +1.647.777.2635, Internal: (81) 32635
>> > >>
>> > >
>> > >
>>
>> - RGB
>>
>> --
>> Richard Guy Briggs <rgb@redhat.com>
>> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> Remote, Ottawa, Red Hat Canada
>> IRC: rgb, SunRaycer
>> Voice: +1.647.777.2635, Internal: (81) 32635
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>

[-- Attachment #1.2: Type: text/html, Size: 6397 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Monitoring files

[Steve Grubb]

On Wed, 25 Apr 2018 13:01:11 -0400
"warron.french" <warron.french@gmail.com> wrote:

> Thanks *F Rafi.*
> 
> *Steve*, does the "-i" flag go on a line simply by itself?

Yes. Just like the -D at the top of the rules.


> And so the benefit of this switch is that for rules applied through
> the audit.rules file; that are monitoring files - wherein the files
> are not on the system will do which:
> 1.  Not load the rule, skip to the next rule and load it if possible?

Yes

> 2. Load the rule, but will simply not indicate an error at all?
> 
> Therefore all rules that can be loaded will be loaded (if the files
> are in place) and those that don't actually have their files to
> monitor will simply not be added to the chain of rules?

Yes. Note that there is also a '-c' rule that will continue loading and
then give you a summary yes/no. Yes all rules loaded, No one or more
rules did not load. The '-i' will always report success.

-Steve
 

> --------------------------
> Warron French
> 
> 
> On Wed, Apr 25, 2018 at 10:06 AM, F Rafi <farhanible@gmail.com> wrote:
> 
> > Warron,
> >  
> > > Furthermore, where would I add the -i switch to a rule like this
> > > one:  
> >
> > You basically put a "-i" on a separate line by itself afaik
> > somewhere at the top of the audit rules file. All the rules below
> > the -i line will not cause a load failure (Steve and RGB can
> > confirm).
> >
> > Farhan
> >
> > On Tue, Apr 24, 2018 at 8:49 PM Richard Guy Briggs <rgb@redhat.com>
> > wrote: 
> >> On 2018-04-24 18:04, warron.french wrote:  
> >> > Furthermore, where would I add the -i switch to a rule like this
> >> > one:
> >> >
> >> > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F
> >> > auid>=1000 -F auid!=4294967295 -k privileged  
> >>
> >> I'm not aware of any per-rule switches to permit failure to load
> >> to be non-fatal.  I was suggesting it might help in your situation
> >> to add such a feature, but I think the better solution is a
> >> customized rule set for each machine or type of machine.
> >>  
> >> > ??
> >> >
> >> > --------------------------
> >> > Warron French
> >> >
> >> >
> >> > On Tue, Apr 24, 2018 at 6:03 PM, warron.french
> >> > <warron.french@gmail.com
> >> >
> >> > wrote:
> >> >  
> >> > > Mr. Briggs/Rafi,
> >> > >
> >> > > I don't see the -i switch even mentioned in the manpage for  
> >> audit.rules.  
> >> > > Is this a documented switch, or not yet a capability on Red
> >> > > Hat or  
> >> CentOS  
> >> > > systems?
> >> > >
> >> > > Thanks in advance,
> >> > >
> >> > > --------------------------
> >> > > Warron French
> >> > >
> >> > >
> >> > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs
> >> > > <rgb@redhat.com> wrote:
> >> > >  
> >> > >> On 2018-04-23 23:41, F Rafi wrote:  
> >> > >> > Adding a -i to the rules file should ignore any errors.  
> >> > >>
> >> > >> At risk of feature creep, it might be nice to have a flag to
> >> > >> ignore certain rules but not others, a way to tag individual
> >> > >> rules with  
> >> either  
> >> > >> a must, or a different tag with "ignore if not present" for
> >> > >> file  
> >> rules.  
> >> > >>  
> >> > >> > -Farhan
> >> > >> >
> >> > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <  
> >> warron.french@gmail.com>  
> >> > >> wrote:  
> >> > >> > > Hi, I have a requirement to monitor a ton of files,
> >> > >> > > executables  
> >> and  
> >> > >> confug  
> >> > >> > > files.
> >> > >> > >
> >> > >> > > Anyway, not all of my systems have every file in the
> >> > >> > > list; and  
> >> when I  
> >> > >> add  
> >> > >> > > the rules appropriate, either as a Watch (-w) rule or as
> >> > >> > > an  
> >> Action  
> >> > >> (-a)  
> >> > >> > > rule, the rules stop loading when the find a rule that
> >> > >> > > has a  
> >> file that  
> >> > >> > > doesn't exist *on that particular system*.
> >> > >> > >
> >> > >> > > This is the intended effect, yes?
> >> > >> > >
> >> > >> > > Thanks in advance,
> >> > >> > > --------------------------
> >> > >> > > Warron French  
> >> > >>
> >> > >> - RGB
> >> > >>
> >> > >> --
> >> > >> Richard Guy Briggs <rgb@redhat.com>
> >> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> > >> Remote, Ottawa, Red Hat Canada
> >> > >> IRC: rgb, SunRaycer
> >> > >> Voice: +1.647.777.2635, Internal: (81) 32635
> >> > >>  
> >> > >
> >> > >  
> >>
> >> - RGB
> >>
> >> --
> >> Richard Guy Briggs <rgb@redhat.com>
> >> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> >> Remote, Ottawa, Red Hat Canada
> >> IRC: rgb, SunRaycer
> >> Voice: +1.647.777.2635, Internal: (81) 32635
> >>
> >> --
> >> Linux-audit mailing list
> >> Linux-audit@redhat.com
> >> https://www.redhat.com/mailman/listinfo/linux-audit
> >>  
> >