Discussion:
adding rules after setting rules immutable
warron.french
2016-09-08 13:42:09 UTC
Permalink
While working with RHEL-6 and RHEL-7 systems, and understanding that you
can set rules to immutable by adding *-e 2* to the end of the audit.rules
file(s) I realized something.


If I want to add rules to a system due to new IT Governance, I might have
to reboot every machine that gets the newly added rules.


Is this true, or can I get away with simply executing, on both versions of
RHEL (6 and 7):
augenrules --check
augenrules --load


I ask, because I want to write some puppet code that is smart enough to
ensure the rules are put into place. Do I really have to reboot a server
in the middle of a work day or can I work around it with the use of the
*augenrules* commands as listed above?


Thanks in advance,
--------------------------
Warron French
Steve Grubb
2016-09-08 13:52:32 UTC
Permalink
Post by warron.french
While working with RHEL-6 and RHEL-7 systems, and understanding that you
can set rules to immutable by adding *-e 2* to the end of the audit.rules
file(s) I realized something.
If I want to add rules to a system due to new IT Governance, I might have
to reboot every machine that gets the newly added rules.
Yes, you need to reboot. This is what immutable means - no changes allowed
during runtime.
Post by warron.french
Is this true, or can I get away with simply executing, on both versions of
augenrules --check
augenrules --load
These will fail.
Post by warron.french
I ask, because I want to write some puppet code that is smart enough to
ensure the rules are put into place. Do I really have to reboot a server
in the middle of a work day or can I work around it with the use of the
*augenrules* commands as listed above?
This is what immutable does. If you need flexibility to change rules at will,
then you should comment out or delete the -e 2 at the end.

-Steve
Richard Guy Briggs
2016-09-08 16:16:41 UTC
Permalink
Post by Steve Grubb
Post by warron.french
While working with RHEL-6 and RHEL-7 systems, and understanding that you
can set rules to immutable by adding *-e 2* to the end of the audit.rules
file(s) I realized something.
If I want to add rules to a system due to new IT Governance, I might have
to reboot every machine that gets the newly added rules.
Yes, you need to reboot. This is what immutable means - no changes allowed
during runtime.
Post by warron.french
Is this true, or can I get away with simply executing, on both versions of
augenrules --check
augenrules --load
These will fail.
Warron, it isn't userspace that is gating this. Once immutable is set,
the kernel simply stops listening to any changes requested. Once
userspace invokes this command, it is powerless to change it until the
next boot.
Post by Steve Grubb
Post by warron.french
I ask, because I want to write some puppet code that is smart enough to
ensure the rules are put into place. Do I really have to reboot a server
in the middle of a work day or can I work around it with the use of the
*augenrules* commands as listed above?
This is what immutable does. If you need flexibility to change rules at will,
then you should comment out or delete the -e 2 at the end.
-Steve
- RGB

--
Richard Guy Briggs <***@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Loading...