filter specific file from specific program

filter specific file from specific program

[Lance Dillon]

I have a need to filter a file from auditing, but only from a specific process.  
We are running splunk, and indexing /var/log/audit/audit.log.  We want audit.log 
to be monitored, so we are using a dir watch on /var/log/audit, but we just 
don't want splunk access to be reported.  Filtering on obj_type doesn't work (-F 
obj_type=auditd_log_t), because it filters everything, not that specific 
process.  However, it actually spawns another process to do the actual access, 
so I can't filter on pid either.  It runs unconfined, so I can't filter on 
subj_type=unconfined_t, because that would filter way too much.

It was suggested to me to use audit roles.  If this is something separate from 
selinux context, perhaps someone can point me in the right direction?  I only 
want to filter out (not audit) access to audit.log from the specific process 
/opt/splunkforwarder/bin/splunkd (and any forks it may do).

I've been looking at creating a separate selinux context for splunk, which will 
do the trick, but is proving harder than I thought because it ends up forking 
off other programs, like top and rpm and nptdate, that run under different 
contexts than splunk (unconfined_t, rpm_t, and ntpdate_t respectively), so being 
confined to a splunk_t type prevents those programs from running properly.

If anybody has any idea, or can point me in the right direction, i would 
appreciate it.

Thanks

RE: filter specific file from specific program

[David J. Fisher]

Hi Lance,
  I had this same issue when I started indexing audit.log using Splunk. I have all but one system running the Unix app in Splunk to index the audit file (found under apps, *NIX , setup). It polls the var/log/audit/audit.log file using ausearch. This does not create a splunkd entry in the log file. This works great because it will convert user IDs to a user name not a number. However, I have a system that this process will not work on (still not sure why).  On this one, I did create a rule with the help of Steve Grubb (thanks) to have my /etc/audit/audit.rules ignore the process splunkd and root touches to /var/log/audit.log. My splunkd runs with root privileges. My OS is Redhat 5.5 enterprise.

Audit.rules entry:
-a exit,always -F dir=/var/log/audit/ -F auid>500 -F auid!=-1 -k audit.logs

Using this, I have to tag the UID with the actual user name in Splunk.

Hope this helps,
David Fisher


-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Lance Dillon
Sent: Tuesday, November 29, 2011 2:39 PM
To: linux-audit@redhat.com
Subject: filter specific file from specific program

I have a need to filter a file from auditing, but only from a specific process.  
We are running splunk, and indexing /var/log/audit/audit.log.  We want audit.log to be monitored, so we are using a dir watch on /var/log/audit, but we just don't want splunk access to be reported.  Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it filters everything, not that specific process.  However, it actually spawns another process to do the actual access, so I can't filter on pid either.  It runs unconfined, so I can't filter on subj_type=unconfined_t, because that would filter way too much.

It was suggested to me to use audit roles.  If this is something separate from selinux context, perhaps someone can point me in the right direction?  I only want to filter out (not audit) access to audit.log from the specific process /opt/splunkforwarder/bin/splunkd (and any forks it may do).

I've been looking at creating a separate selinux context for splunk, which will do the trick, but is proving harder than I thought because it ends up forking off other programs, like top and rpm and nptdate, that run under different contexts than splunk (unconfined_t, rpm_t, and ntpdate_t respectively), so being confined to a splunk_t type prevents those programs from running properly.

If anybody has any idea, or can point me in the right direction, i would appreciate it.

Thanks

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: filter specific file from specific program

[Steve Grubb]

On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote:
> I have a need to filter a file from auditing, but only from a specific
> process. We are running splunk, and indexing /var/log/audit/audit.log.  We
> want audit.log to be monitored, so we are using a dir watch on
> /var/log/audit, but we just don't want splunk access to be reported. 
> Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it
> filters everything, not that specific process. 

The object is the file. The subject would be the program accessing the file. You could 
use subj_type.

> However, it actually spawns another process to do the actual access, so I can't
> filter on pid either.  It runs unconfined, 

Which is a big problem because you really don't want it to be unconfined.

> so I can't filter on subj_type=unconfined_t, because that would filter way too much.
>
> It was suggested to me to use audit roles.  If this is something separate
> from selinux context, perhaps someone can point me in the right direction?
> I only want to filter out (not audit) access to audit.log from the
> specific process /opt/splunkforwarder/bin/splunkd (and any forks it may
> do).

I think you might could make the helper app setgid and then filter that out.

-a never,exit -F gid=xxx

-Steve

Re: filter specific file from specific program

[Lance Dillon]

----- Original Message ----
> From: Steve Grubb <sgrubb@redhat.com>
> To: linux-audit@redhat.com
> Cc: Lance Dillon <riffraff169@yahoo.com>
> Sent: Fri, December 2, 2011 10:04:15 AM
> Subject: Re: filter specific file from specific program
> 
> On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote:
> > I have a  need to filter a file from auditing, but only from a specific
> > process.  We are running splunk, and indexing /var/log/audit/audit.log.  We
> >  want audit.log to be monitored, so we are using a dir watch on
> >  /var/log/audit, but we just don't want splunk access to be reported. 
> >  Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because  it
> > filters everything, not that specific process. 
> 
> The object is  the file. The subject would be the program accessing the file. 
>You could 
>
> use  subj_type.
> 
> > However, it actually spawns another process to do the  actual access, so I 
>can't
> > filter on pid either.  It runs  unconfined, 
> 
> Which is a big problem because you really don't want it to  be unconfined.
> 
> > so I can't filter on subj_type=unconfined_t, because  that would filter way 
>too much.
> >
> > It was suggested to me to use  audit roles.  If this is something separate
> > from selinux context,  perhaps someone can point me in the right direction?
> > I only want to  filter out (not audit) access to audit.log from the
> > specific process  /opt/splunkforwarder/bin/splunkd (and any forks it may
> > do).
> 
> I  think you might could make the helper app setgid and then filter that  out.
> 
> -a never,exit -F gid=xxx
> 
> -Steve
>


Thanks for the ideas, but what we decided to do was redefine the problem a 
little bit, which is that we didn't necessarily care if anybody read it, just 
that we could audit modifications.  So we changed it to:

-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b32 -S open -k LOG -k 
audit
-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b64 -S open -k LOG -k 
audit

That filters out reads while taking into consideration that files get sorted 
after dirs (at least in the current rhel5 audit package).

Thanks for the help.