OK, I will have to try this tomorrow. I have to go home now.
--
Warron French
On Wed, Apr 12, 2017 at 5:01 PM, Steve Grubb wrote:
> On Wednesday, April 12, 2017 3:00:59 PM EDT warron.french wrote:
> > Yes, certainly.
> >
> > I had a 1.7GB messages file in /var/log; so
On Wednesday, April 12, 2017 3:00:59 PM EDT warron.french wrote:
> Yes, certainly.
>
> I had a 1.7GB messages file in /var/log; so I moved it manually out of the
> way. Then I rebooted.
>
> After doing that, I didn't see anything at all about auditd in the new
> /var/log/messages.
It will proba
Watch (-w) rules not in memory:
[root@wfrench-rhel68s-001 audit]# grep -e "-w " audit.rules
-w /etc/group -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/localtime -p wa -k audit_time_rules
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/security/opasswd
Yes, certainly.
I had a 1.7GB messages file in /var/log; so I moved it manually out of the
way. Then I rebooted.
After doing that, I didn't see anything at all about auditd in the new
/var/log/messages.
I have finally gotten it down to 13 audit rules, all still Action Rules
only for some reason
On Wednesday, April 12, 2017 12:51:03 PM EDT warron.french wrote:
> Hello, I am writing a Puppet Module to deliver updates of audit.rules and
> auditd.conf configurations to RHEL6 and RHEL7 machines.
>
> The files are laid down correctly for both RHEL6 and RHEL7 within the
> appropriate directorie
Hello, I am writing a Puppet Module to deliver updates of audit.rules and
auditd.conf configurations to RHEL6 and RHEL7 machines.
The files are laid down correctly for both RHEL6 and RHEL7 within the
appropriate directories:
- RHEL6 = /etc/audit/audit.rules, for
- RHEL7 = /etc/audit/rules.d