Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 558824 - sys-process/audit: use single location for audit.rules
Summary: sys-process/audit: use single location for audit.rules
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement with 2 votes (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-26 12:43 UTC by Coacher
Modified: 2020-01-28 23:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Coacher 2015-08-26 12:43:10 UTC
Hello.

Currently audit-2.4.3-r1 installs audit.rules to /etc/audit/ and /etc/audit/rules.d/ directories. auditd (via auditctl) uses only rules from /etc/audit. Rules from /etc/audit/rules.d can be processed by augenrules tool to generate a single rules file for auditd, which is placed in /etc/audit as well.

Thus if one chooses to use augenrules, then rules installed in /etc/audit will be overwritten. Alternatively if one chooses not to use augenrules, then rules installed in /etc/audit/rules.d are there for nothing.

Currently Gentoo initscript does not use augenrules, so nothing gets overwritten. However, it is not impossible to do so for user.

Another problem is that comments inside rules file in /etc/audit/rules.d state that it is loaded by auditd, which is not true.

Please provide a single rules file with a proper comment that would clearly distinct what rules are processed by auditctl and augenrules, what takes precedence, what gets overwritten and what not.
Comment 1 Brian Evans (RETIRED) gentoo-dev 2015-09-01 14:00:51 UTC

*** This bug has been marked as a duplicate of bug 529906 ***
Comment 2 Coacher 2015-09-01 17:28:23 UTC
(In reply to Brian Evans from comment #1)
> 
> *** This bug has been marked as a duplicate of bug 529906 ***

This is not a duplicate of #529906. Support for /etc/audit/rules.d/ is there already. At least sys-process/audit-2.4.3-r1 has it.

This bug is about fixing the way this support was added in Gentoo. See my previous comment for several issues and possible ways to overcome them.