This rule will let you know when an SUID binary is *executed* https://github.com/simp/pupmod-simp-auditd/blob/master/templates/base.erb#L50:L55 .
I would not run any filesystem searches from Puppet, I would relegate those to cron+syslog so that you can better control the amount of I/O churn on your system over time. Thanks, Trevor On Fri, Sep 4, 2015 at 2:54 PM, Sean <smalde...@gmail.com> wrote: > Hi, > > I'm using a module from the Forge to manage auditd rules, the module works > quite well and managing rules is very easy. The hard part is that there's > a requirement to audit use SUID files on each system. With out knowing > exactly what files are SUID on every server in the field, since there are > several linux flavors and versions, I'm finding myself thinking the only > way to accomplish this is to write a custom fact to hold all the SUID files > as an array, then pass the array to the resource creator. I just don't > relish the idea of running a find command from / every 30 minutes. > > Might anyone have any better ideas? > > Thank you kindly! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e848e8ab-0a96-4934-9382-42f3b828d529%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/e848e8ab-0a96-4934-9382-42f3b828d529%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANs%2BFoX4cRCG39aSaSaLbu16Xpz27nMwNqd%3D_emN3kqA_TDt_g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
