need rules help - LC Bruzenak

All of lore.kernel.org
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: linux-audit@redhat.com
Subject: need rules help
Date: Wed, 05 Aug 2009 21:45:45 -0500	[thread overview]
Message-ID: <1249526745.12117.986.camel@homeserver> (raw)

I searched the list for an example but see nothing applicable.
I need to be able to exclude the following event example:

node=jcdx type=PATH msg=audit(07/20/2009 00:00:16.469:24295) : item=0
name=/var/opt/jcdx/tracks/mltrackdb/AcousticTracks.inst/040fd238ede9dfbbc19e012c7633836f/AcousticTracks 
node=jcdx type=CWD msg=audit(07/20/2009 00:00:16.469:24295) :  cwd=/ 
node=jcdx type=SYSCALL msg=audit(07/20/2009 00:00:16.469:24295) :
arch=i386 syscall=stat64 success=no exit=-13(Permission denied)
a0=8813598 a1=ffdfed24 a2=c91ff4 a3=ffdfee5c items=1 ppid=1 pid=2747
auid=unset uid=root gid=unknown(450) euid=root suid=root fsuid=root
egid=unknown(450) sgid=unknown(450) fsgid=unknown(450) tty=(none)
ses=4294967295 comm=mtdb exe=/opt/jcdx/sbin/mtdb
subj=system_u:system_r:jcdx_mtdb_t:s0-s6:c0.c511 key=(null) 
node=jcdx type=AVC msg=audit(07/20/2009 00:00:16.469:24295) : avc:
denied  { search } for  pid=2747 comm=mtdb
name=040fd238ede9dfbbc19e012c7633836f dev=dm-0 ino=71632
scontext=system_u:system_r:jcdx_mtdb_t:s0-s6:c0.c511
tcontext=system_u:object_r:jcdx_stdb_var_t:s15:c0.c1023 tclass=dir 


I thought that the following would work:
-a never,exit -F subj_type=jcdx_mtdb_t -F obj_type=jcdx_stdb_var_t

but it doesn't stop the event from getting into the log.

I saw Steve's suggestion back in January about using the exclude rule,
but that one says "only msgtype field works with exclude filter", so I
cannot include any other "-F" options.

Any ideas?

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next             reply	other threads:[~2009-08-06  2:46 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-08-06  2:45 LC Bruzenak [this message]
2009-08-06 15:10 ` need rules help - solved LC Bruzenak
2009-08-06 21:17   ` need rules help LC Bruzenak
2009-08-08  2:23     ` LC Bruzenak
2009-08-08 15:34     ` Steve Grubb
2009-08-08 17:59       ` LC Bruzenak
2009-08-09 13:37         ` Steve Grubb
2009-08-09 15:10           ` LC Bruzenak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1249526745.12117.986.camel@homeserver \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.