audit.rules setting

audit.rules setting

[Warron S French]

[-- Attachment #1.1: Type: text/plain, Size: 214 bytes --]

Does the "-e 2" have to be the last line of the audit.rules file?
Does it have to be listed prior to all of the syscalls and watches configured in the file?


Thank you in advance,

Warron French, MBA, SCSA

[-- Attachment #1.2: Type: text/html, Size: 2290 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit.rules setting

[Steve Grubb]

On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> Does the "-e 2" have to be the last line of the audit.rules file?

Yes. Once its sent to the kernel, the kernel rules tables are immutable.


> Does it have to be listed prior to all of the syscalls and watches
> configured in the file?

No. This will make it not load anything.

-Steve

RE: EXT :Re: audit.rules setting

[Boyce, Kevin P (AS)]

With regard to this subject I don't know if it is possible, but it bothers me when shutting down a system that you get errors (when -e 2 is enabled) when auditd is stopping.
That might be unavoidable though.

Kevin Boyce


-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Tuesday, March 22, 2016 10:06 AM
To: linux-audit@redhat.com
Subject: EXT :Re: audit.rules setting

On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> Does the "-e 2" have to be the last line of the audit.rules file?

Yes. Once its sent to the kernel, the kernel rules tables are immutable.


> Does it have to be listed prior to all of the syscalls and watches 
> configured in the file?

No. This will make it not load anything.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: EXT :Re: audit.rules setting

[Steve Grubb]

On Tuesday, March 22, 2016 02:26:33 PM Boyce, Kevin P wrote:
> With regard to this subject I don't know if it is possible, but it bothers
> me when shutting down a system that you get errors (when -e 2 is enabled)
> when auditd is stopping. That might be unavoidable though.

If this is a sysVinit system, then there are variables in /etc/sysconfig/auditd 
such as AUDITD_CLEAN_STOP that determine what the init script does.

If you have a systemd based init system, then by default it does not modify 
rules like the sysVinit one does. It does have a ExecStopPost= variable that 
can be modified if you wanted to clear rules on shutdown.

-Steve

> -----Original Message-----
> From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
> On Behalf Of Steve Grubb Sent: Tuesday, March 22, 2016 10:06 AM
> To: linux-audit@redhat.com
> Subject: EXT :Re: audit.rules setting
> 
> On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> > Does the "-e 2" have to be the last line of the audit.rules file?
> 
> Yes. Once its sent to the kernel, the kernel rules tables are immutable.
> 
> > Does it have to be listed prior to all of the syscalls and watches
> > configured in the file?
> 
> No. This will make it not load anything.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit