[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: Adding multiple watch  rules on same path
From:       Klaus Weidner <klaus () atsec ! com>
Date:       2006-08-22 18:30:01
Message-ID: 20060822183001.GA4233 () w-m-p ! com
[Download RAW message or body]

On Tue, Aug 22, 2006 at 11:51:14AM -0400, Steve Grubb wrote:
> On the otherhand, suppose you wrote a system that dynamically alters the audit 
> rules. You could use the keyfield to identify those rules so that you do not 
> have to think about baseline rules the admin may have in place. IOW, you can 
> issue another rule to watch /etc/shadow for writes without checking to see if 
> it already exists. Also, you can delete the rule without worry that you are 
> deleting something the admin wants there as baseline.

I think it's useful to keep it, especially if it already works now.  A
file may need auditing for multiple overlapping reasons, and it's nice to
get consistent results in that case.

It's a feature beyond what CAPP/LSPP requires and it's only available to
admins, so there is no need to specifically test these combinations if
you're just going for CC compliance.

-Klaus

[prev in list] [next in list] [prev in thread] [next in thread]