exclude rule help
LC Bruzenak
lenny at magitekltd.com
Fri Jun 26 01:22:05 UTC 2009
On Thu, 2009-06-25 at 20:22 -0400, Steve Grubb wrote:
> On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> > Anyone have a good idea of how to discard all these events? Ideally the
> > caller would send in a self-generated event such as "ryncing rick/src2/
> > to /temp-home" or similar. This is for a dedicated file backup
> > procedure.
> >
> > Obviously I do not want to discard all rsync events, just when launched
> > by our trusted program. Nor would I really want all that program's
> > events discarded since I want it to be able to submit proactive events
> > which summarize its behavior.
>
> With SE Linux, you can create different subject types based on how the
> application was started. Then you can exclude based on the type you assign to
> your subject whenever started by your trusted program.
>
> -Steve
Right, but wouldn't that preclude that same program from being able to
proactively submit its own records and also stop any inadvertent audit
events?
I guess I could:
1: start the first process with type1, let type1 audit what it plans to
do, then it could fork/exec/transition to type2.
2: the new process type2 could then run the rsync stuff. I could exclude
all the type2 records
3: the parent would wait for the child to complete and, based on the
exit code, audit success/failure as appropriate?
I guess this is the best way forward, however it scares me a little that
no events will then be logged from the process of that type2. If I
protect it I guess it's OK.
Thx!
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list