[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: filter specific file from specific program






----- Original Message ----
> From: Steve Grubb <sgrubb redhat com>
> To: linux-audit redhat com
> Cc: Lance Dillon <riffraff169 yahoo com>
> Sent: Fri, December 2, 2011 10:04:15 AM
> Subject: Re: filter specific file from specific program
> 
> On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote:
> > I have a  need to filter a file from auditing, but only from a specific
> > process.  We are running splunk, and indexing /var/log/audit/audit.log.  We
> >  want audit.log to be monitored, so we are using a dir watch on
> >  /var/log/audit, but we just don't want splunk access to be reported. 
> >  Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because  it
> > filters everything, not that specific process. 
> 
> The object is  the file. The subject would be the program accessing the file. 
>You could 
>
> use  subj_type.
> 
> > However, it actually spawns another process to do the  actual access, so I 
>can't
> > filter on pid either.  It runs  unconfined, 
> 
> Which is a big problem because you really don't want it to  be unconfined.
> 
> > so I can't filter on subj_type=unconfined_t, because  that would filter way 
>too much.
> >
> > It was suggested to me to use  audit roles.  If this is something separate
> > from selinux context,  perhaps someone can point me in the right direction?
> > I only want to  filter out (not audit) access to audit.log from the
> > specific process  /opt/splunkforwarder/bin/splunkd (and any forks it may
> > do).
> 
> I  think you might could make the helper app setgid and then filter that  out.
> 
> -a never,exit -F gid=xxx
> 
> -Steve
>


Thanks for the ideas, but what we decided to do was redefine the problem a 
little bit, which is that we didn't necessarily care if anybody read it, just 
that we could audit modifications.  So we changed it to:

-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b32 -S open -k LOG -k 
audit
-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b64 -S open -k LOG -k 
audit

That filters out reads while taking into consideration that files get sorted 
after dirs (at least in the current rhel5 audit package).

Thanks for the help.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]