On 2018-04-24 18:04, warron.french wrote: > Furthermore, where would I add the -i switch to a rule like this one: > > -a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F > auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be non-fatal. I was suggesting it might help in your situation to add such a feature, but I think the better solution is a customized rule set for each machine or type of machine. > ?? > > -------------------------- > Warron French > > > On Tue, Apr 24, 2018 at 6:03 PM, warron.french <warron.fre...@gmail.com> > wrote: > > > Mr. Briggs/Rafi, > > > > I don't see the -i switch even mentioned in the manpage for audit.rules. > > Is this a documented switch, or not yet a capability on Red Hat or CentOS > > systems? > > > > Thanks in advance, > > > > -------------------------- > > Warron French > > > > > > On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs <r...@redhat.com> > > wrote: > > > >> On 2018-04-23 23:41, F Rafi wrote: > >> > Adding a -i to the rules file should ignore any errors. > >> > >> At risk of feature creep, it might be nice to have a flag to ignore > >> certain rules but not others, a way to tag individual rules with either > >> a must, or a different tag with "ignore if not present" for file rules. > >> > >> > -Farhan > >> > > >> > On Mon, Apr 23, 2018 at 9:19 PM, warron.french <warron.fre...@gmail.com> > >> wrote: > >> > > Hi, I have a requirement to monitor a ton of files, executables and > >> confug > >> > > files. > >> > > > >> > > Anyway, not all of my systems have every file in the list; and when I > >> add > >> > > the rules appropriate, either as a Watch (-w) rule or as an Action > >> (-a) > >> > > rule, the rules stop loading when the find a rule that has a file that > >> > > doesn't exist *on that particular system*. > >> > > > >> > > This is the intended effect, yes? > >> > > > >> > > Thanks in advance, > >> > > -------------------------- > >> > > Warron French > >> > >> - RGB > >> > >> -- > >> Richard Guy Briggs <r...@redhat.com> > >> Sr. S/W Engineer, Kernel Security, Base Operating Systems > >> Remote, Ottawa, Red Hat Canada > >> IRC: rgb, SunRaycer > >> Voice: +1.647.777.2635, Internal: (81) 32635 > >> > > > > - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
