Discussion:
Monitoring files
warron.french
2018-04-24 01:19:28 UTC
Permalink
Hi, I have a requirement to monitor a ton of files, executables and confug
files.

Anyway, not all of my systems have every file in the list; and when I add
the rules appropriate, either as a Watch (-w) rule or as an Action (-a)
rule, the rules stop loading when the find a rule that has a file that
doesn't exist *on that particular system*.

This is the intended effect, yes?

Thanks in advance,
--------------------------
Warron French
F Rafi
2018-04-24 03:41:10 UTC
Permalink
Adding a -i to the rules file should ignore any errors.

-Farhan
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables and confug
files.
Anyway, not all of my systems have every file in the list; and when I add
the rules appropriate, either as a Watch (-w) rule or as an Action (-a)
rule, the rules stop loading when the find a rule that has a file that
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Richard Guy Briggs
2018-04-24 15:14:50 UTC
Permalink
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with either
a must, or a different tag with "ignore if not present" for file rules.
Post by F Rafi
-Farhan
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables and confug
files.
Anyway, not all of my systems have every file in the list; and when I add
the rules appropriate, either as a Watch (-w) rule or as an Action (-a)
rule, the rules stop loading when the find a rule that has a file that
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
warron.french
2018-04-24 23:45:15 UTC
Permalink
Mr. Briggs/Rafi,

I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?

Thanks in advance,


--------------------------
Warron French
Mr. Briggs/Rafi,
I think you forgot to reply to the list (preferred) and/or Rafi.
I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?
Thanks in advance,
--------------------------
Warron French
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with either
a must, or a different tag with "ignore if not present" for file rules.
Post by F Rafi
-Farhan
On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables and
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and
when I
Post by Richard Guy Briggs
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an Action
(-a)
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a file
that
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Steve Grubb
2018-04-25 00:24:34 UTC
Permalink
Post by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?
All audit commands are documented in the auditctl man page. When rules load,
auditctl processes them as if you typed them in one by one via auditctl. Its
just that you do not need to type auditctl on each line of the rules.

-Stev
Post by warron.french
--------------------------
Warron French
Post by warron.french
Mr. Briggs/Rafi,
I think you forgot to reply to the list (preferred) and/or Rafi.
Post by warron.french
I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?
Thanks in advance,
--------------------------
Warron French
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with either
a must, or a different tag with "ignore if not present" for file rules.
Post by F Rafi
-Farhan
On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables and
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and
when I
Post by warron.french
Post by Richard Guy Briggs
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an Action
(-a)
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a file
that
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Richard Guy Briggs
2018-04-25 00:43:37 UTC
Permalink
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be
non-fatal. I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.
??
--------------------------
Warron French
Post by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for audit.rules.
Is this a documented switch, or not yet a capability on Red Hat or CentOS
systems?
Thanks in advance,
--------------------------
Warron French
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with either
a must, or a different tag with "ignore if not present" for file rules.
Post by F Rafi
-Farhan
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables and
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and when I
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an Action
(-a)
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a file that
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
warron.french
2018-04-25 01:12:49 UTC
Permalink
Steve, I did a search on the manpage for auditctl and there was no
references to any -i switch;
of course it could be because the version we are on might be too old in
comparison.


--------------------------
Warron French
Post by Richard Guy Briggs
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be
non-fatal. I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.
??
--------------------------
Warron French
Post by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for
audit.rules.
Post by warron.french
Is this a documented switch, or not yet a capability on Red Hat or
CentOS
Post by warron.french
systems?
Thanks in advance,
--------------------------
Warron French
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with
either
Post by warron.french
Post by Richard Guy Briggs
a must, or a different tag with "ignore if not present" for file
rules.
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
-Farhan
On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables
and
Post by warron.french
Post by Richard Guy Briggs
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and
when I
Post by warron.french
Post by Richard Guy Briggs
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an Action
(-a)
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a file
that
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Steve Grubb
2018-04-25 01:40:37 UTC
Permalink
Post by warron.french
Steve, I did a search on the manpage for auditctl and there was no
references to any -i switch;
of course it could be because the version we are on might be too old in
comparison.
This is what the auditctl man page says from audit-1.0.16:

-i Ignore errors when reading rules from a file

I hope you are not using anything less than that.

-Steve
Post by warron.french
Post by Richard Guy Briggs
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be
non-fatal. I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.
??
--------------------------
Warron French
On Tue, Apr 24, 2018 at 6:03 PM, warron.french
Post by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for
audit.rules.
Post by warron.french
Is this a documented switch, or not yet a capability on Red Hat or
CentOS
Post by warron.french
systems?
Thanks in advance,
--------------------------
Warron French
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with
either
Post by warron.french
Post by Richard Guy Briggs
a must, or a different tag with "ignore if not present" for file
rules.
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
-Farhan
On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables
and
Post by warron.french
Post by Richard Guy Briggs
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and
when I
Post by warron.french
Post by Richard Guy Briggs
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an Action
(-a)
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a file
that
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
F Rafi
2018-04-25 14:06:13 UTC
Permalink
Warron,
You basically put a "-i" on a separate line by itself afaik somewhere at
the top of the audit rules file. All the rules below the -i line will not
cause a load failure (Steve and RGB can confirm).

Farhan
Post by Richard Guy Briggs
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be
non-fatal. I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.
??
--------------------------
Warron French
Post by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for
audit.rules.
Post by warron.french
Is this a documented switch, or not yet a capability on Red Hat or
CentOS
Post by warron.french
systems?
Thanks in advance,
--------------------------
Warron French
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with
either
Post by warron.french
Post by Richard Guy Briggs
a must, or a different tag with "ignore if not present" for file
rules.
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
-Farhan
On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables
and
Post by warron.french
Post by Richard Guy Briggs
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and
when I
Post by warron.french
Post by Richard Guy Briggs
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an Action
(-a)
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a file
that
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
warron.french
2018-04-25 17:01:11 UTC
Permalink
Thanks *F Rafi.*

*Steve*, does the "-i" flag go on a line simply by itself?

And so the benefit of this switch is that for rules applied through the
audit.rules file; that are monitoring files - wherein the files are not on
the system will do which:
1. Not load the rule, skip to the next rule and load it if possible?
2. Load the rule, but will simply not indicate an error at all?

Therefore all rules that can be loaded will be loaded (if the files are in
place) and those that don't actually have their files to monitor will
simply not be added to the chain of rules?


Thanks for the explanation,



--------------------------
Warron French
Post by F Rafi
Warron,
You basically put a "-i" on a separate line by itself afaik somewhere at
the top of the audit rules file. All the rules below the -i line will not
cause a load failure (Steve and RGB can confirm).
Farhan
Post by Richard Guy Briggs
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F auid>=1000 -F
auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load to be
non-fatal. I was suggesting it might help in your situation to add such
a feature, but I think the better solution is a customized rule set for
each machine or type of machine.
??
--------------------------
Warron French
Post by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for
audit.rules.
Post by warron.french
Is this a documented switch, or not yet a capability on Red Hat or
CentOS
Post by warron.french
systems?
Thanks in advance,
--------------------------
Warron French
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to ignore
certain rules but not others, a way to tag individual rules with
either
Post by warron.french
Post by Richard Guy Briggs
a must, or a different tag with "ignore if not present" for file
rules.
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
-Farhan
On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables
and
Post by warron.french
Post by Richard Guy Briggs
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and
when I
Post by warron.french
Post by Richard Guy Briggs
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an
Action
Post by warron.french
Post by Richard Guy Briggs
(-a)
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a
file that
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Steve Grubb
2018-04-25 21:46:24 UTC
Permalink
On Wed, 25 Apr 2018 13:01:11 -0400
Post by warron.french
Thanks *F Rafi.*
*Steve*, does the "-i" flag go on a line simply by itself?
Yes. Just like the -D at the top of the rules.
Post by warron.french
And so the benefit of this switch is that for rules applied through
the audit.rules file; that are monitoring files - wherein the files
1. Not load the rule, skip to the next rule and load it if possible?
Yes
Post by warron.french
2. Load the rule, but will simply not indicate an error at all?
Therefore all rules that can be loaded will be loaded (if the files
are in place) and those that don't actually have their files to
monitor will simply not be added to the chain of rules?
Yes. Note that there is also a '-c' rule that will continue loading and
then give you a summary yes/no. Yes all rules loaded, No one or more
rules did not load. The '-i' will always report success.

-Steve
Post by warron.french
--------------------------
Warron French
Post by F Rafi
Warron,
You basically put a "-i" on a separate line by itself afaik
somewhere at the top of the audit rules file. All the rules below
the -i line will not cause a load failure (Steve and RGB can
confirm).
Farhan
Post by Richard Guy Briggs
-a always,exit -F path=/usr/bin/cgclassify -F perm=x -F
auid>=1000 -F auid!=4294967295 -k privileged
I'm not aware of any per-rule switches to permit failure to load
to be non-fatal. I was suggesting it might help in your situation
to add such a feature, but I think the better solution is a
customized rule set for each machine or type of machine.
??
--------------------------
Warron French
On Tue, Apr 24, 2018 at 6:03 PM, warron.french
Post by warron.french
Mr. Briggs/Rafi,
I don't see the -i switch even mentioned in the manpage for
audit.rules.
Post by warron.french
Is this a documented switch, or not yet a capability on Red Hat or
CentOS
Post by warron.french
systems?
Thanks in advance,
--------------------------
Warron French
On Tue, Apr 24, 2018 at 11:14 AM, Richard Guy Briggs
Post by Richard Guy Briggs
Post by F Rafi
Adding a -i to the rules file should ignore any errors.
At risk of feature creep, it might be nice to have a flag to
ignore certain rules but not others, a way to tag individual
rules with
either
Post by warron.french
Post by Richard Guy Briggs
a must, or a different tag with "ignore if not present" for file
rules.
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
-Farhan
On Mon, Apr 23, 2018 at 9:19 PM, warron.french <
Post by warron.french
Hi, I have a requirement to monitor a ton of files, executables
and
Post by warron.french
Post by Richard Guy Briggs
confug
Post by F Rafi
Post by warron.french
files.
Anyway, not all of my systems have every file in the list; and
when I
Post by warron.french
Post by Richard Guy Briggs
add
Post by F Rafi
Post by warron.french
the rules appropriate, either as a Watch (-w) rule or as an
Action
Post by warron.french
Post by Richard Guy Briggs
(-a)
Post by F Rafi
Post by warron.french
rule, the rules stop loading when the find a rule that has a
file that
Post by warron.french
Post by Richard Guy Briggs
Post by F Rafi
Post by warron.french
doesn't exist *on that particular system*.
This is the intended effect, yes?
Thanks in advance,
--------------------------
Warron French
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Loading...