Excluding selected CRYPTO_KEY_USER events
Steve Grubb
sgrubb at redhat.com
Sat Jan 9 19:35:08 UTC 2016
On Saturday, January 09, 2016 10:26:06 AM Richard Young wrote:
> I know I could exclude all msgtype CRYPTO_KEY_USER audit events, but would
> like to exclude just specific ones.
> I would like to exclude ones for a specific UID, hostname, or IP.
>
> There are many example of how to exclude specific files, directory events,
> or syscall events.
>
> Can somebody suggest a way to suppress specific CRYPTO_KEY_USER events by
> UID, hostname, or IP?
I opened a bz to ask for this capability a little over a month ago:
https://bugzilla.redhat.com/show_bug.cgi?id=1287745
Unfortunately, I don't think you can do anything until that lands.
This particular event comes from user space. So, the kernel cannot filter on IP
address. And specifically, the kernel can never really filter on IP address
because its typically not an argument to any but 2 or 3 syscalls.
There is a chance that you might be able to use the USER filter if the selinux
type is unique to whatever you wanted to remove.
-a never,user -F subj_type=httpd_t
-Steve
More information about the Linux-audit
mailing list