Changes according to the ciscat requirements
It is nearly impossible to use static "privileged" rules due to such lists
will differ from one installation to another. By this change it will generate
the list dynamically. It can be extended via common rule_list when needed.
Also the enabled option now is immutable.
Change-Id: I537124cd7201bdea831f0a98c3f98c20c7d77707
diff --git a/README.rst b/README.rst
index a3713c1..ec2992d 100644
--- a/README.rst
+++ b/README.rst
@@ -13,6 +13,15 @@
These violations can further be prevented by additional security
measures such as SELinux.
+Please, be aware of one *feature*.
+If you enable auditd.rules.rules.privileged it will dynamically generate a list
+of binaries which have suid/sgid bit for all mounted file systems which do not
+have **nosuid** or **noexec** mount option (except the *special* file systems
+such as **sysfs**, **nsfs**, **cgroup**, **proc** and so one).
+It was done because it is nearly impossible to create that list manually. It
+always will differ from one installation to another.
+This behavior can not be changed but it can be extended manually by putting
+necessary rules into the **rule_list** list).
Sample Metadata