Duplicate Rule situation

Duplicate Rule situation

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 343 bytes --]

Does anybody know if I put the following two rules into the same
audit.rules file and reboot the server will we end up with some broken
rules?

-w /etc/audit/                     -p a -k watch_audit
-w /etc/audit/rules.d/         -p a -k watch_audit

Will this cause a problem due to duplicate rules?

--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 690 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Duplicate Rule situation

[Richard Guy Briggs]

On 2021-06-21 12:52, warron.french wrote:
> Does anybody know if I put the following two rules into the same
> audit.rules file and reboot the server will we end up with some broken
> rules?
> 
> -w /etc/audit/         -p a -k watch_audit
> -w /etc/audit/rules.d/ -p a -k watch_audit
> 
> Will this cause a problem due to duplicate rules?

These are two distinct rules, but redundant, so there won't be any
conflict, but the second rule will never trigger.

If you want finer grained triggering under one rule, likely with a
different key, try instead something like:

-w /etc/audit/rules.d/	-p a -k watch_audit_rules_d
-w /etc/audit/		-p a -k watch_audit

> Warron French

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit