Skip to main content
Topic: audit package has no rules (Read 962 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

audit package has no rules

"Preconfigured Rules Files
In the /usr/share/doc/audit/rules/ directory, the audit package provides a set of pre-configured rules files according to various certification standards: "

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-Defining_Audit_Rules_and_Controls#sec-Defining_Audit_Rules_and_Controls_in_the_audit.rules_file

Those files are in the rules dir in the top level directory if you download the audit source tarball but the arch package doesn't install them. If you want to use audit rather than just install it as a dep, they are quite useful.

Re: audit package has no rules

Reply #1
Is this republished anywhere, this site is BlackHole Listed by my routing.  It is like anti-matter is hidden in such sites.  :)
 

Re: audit package has no rules

Reply #2
The missing files also contain the explanation how to use them in the README -rules in that same rules directory, plus the subject is mentioned in the  auditd and augenrules man pages. Although the package is from Redhat and part of their selinux suite, it's more widely useful as it is basically a configurable logging package that can monitor changes to files and directories, and track processes, creating a searchable time stamped log. The author is sympathetic towards non-systemd inits as well.
The Arch kernel was compiled without audit support until fairly recently. The efficient kernel level monitoring is why it gets used as a dependency, for the libraries it provides to interface with that functionality.