|
Packit |
f0d170 |
This group of rules are meant to be used with the augenrules program.
|
|
Packit |
f0d170 |
The augenrules program expects rules to be located in /etc/audit/rules.d/
|
|
Packit |
f0d170 |
The rules will get processed in a specific order based on their natural
|
|
Packit |
f0d170 |
sort order. To make things easier to use, the files in this directory are
|
|
Packit |
f0d170 |
organized into groups with the following meanings:
|
|
Packit |
f0d170 |
|
|
Packit |
f0d170 |
10 - Kernel and auditctl configuration
|
|
Packit |
f0d170 |
20 - Rules that could match general rules but we want a different match
|
|
Packit |
f0d170 |
30 - Main rules
|
|
Packit |
f0d170 |
40 - Optional rules
|
|
Packit |
f0d170 |
50 - Server Specific rules
|
|
Packit |
f0d170 |
70 - System local rules
|
|
Packit |
f0d170 |
90 - Finalize (immutable)
|
|
Packit |
f0d170 |
|
|
Packit |
f0d170 |
There is one set of rules, 31-privileged.rules, that should be regenerated.
|
|
Packit |
f0d170 |
There is a script in the comments of that file. You can uncomment the commands
|
|
Packit |
f0d170 |
and run the script and then rename the resulting file.
|
|
Packit |
f0d170 |
|
|
Packit |
f0d170 |
The rules are not meant to be used all at once. They are pieces of a policy
|
|
Packit |
f0d170 |
that should be thought out and individual files copied to /etc/audit/rules.d/
|
|
Packit |
f0d170 |
For example, if you wanted to set a system up in the STIG configuration, copy
|
|
Packit |
f0d170 |
rules 10-base-config, 30-stig, 31-privileged, and 99-finalize. You can add
|
|
Packit |
f0d170 |
more if you like.
|
|
Packit |
f0d170 |
|
|
Packit |
f0d170 |
Once you have the rules in the rules.d directory, you can load then by running
|
|
Packit |
f0d170 |
augenrules --load
|
|
Packit |
f0d170 |
|