From: Lance Dillon <riffraff169@yahoo.com>
To: linux-audit@redhat.com
Subject: Re: filter specific file from specific program
Date: Fri, 2 Dec 2011 07:27:40 -0800 (PST) [thread overview]
Message-ID: <1322839660.47441.YahooMailRC@web83810.mail.sp1.yahoo.com> (raw)
In-Reply-To: <201112021004.15671.sgrubb@redhat.com>
----- Original Message ----
> From: Steve Grubb <sgrubb@redhat.com>
> To: linux-audit@redhat.com
> Cc: Lance Dillon <riffraff169@yahoo.com>
> Sent: Fri, December 2, 2011 10:04:15 AM
> Subject: Re: filter specific file from specific program
>
> On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote:
> > I have a need to filter a file from auditing, but only from a specific
> > process. We are running splunk, and indexing /var/log/audit/audit.log. We
> > want audit.log to be monitored, so we are using a dir watch on
> > /var/log/audit, but we just don't want splunk access to be reported.
> > Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it
> > filters everything, not that specific process.
>
> The object is the file. The subject would be the program accessing the file.
>You could
>
> use subj_type.
>
> > However, it actually spawns another process to do the actual access, so I
>can't
> > filter on pid either. It runs unconfined,
>
> Which is a big problem because you really don't want it to be unconfined.
>
> > so I can't filter on subj_type=unconfined_t, because that would filter way
>too much.
> >
> > It was suggested to me to use audit roles. If this is something separate
> > from selinux context, perhaps someone can point me in the right direction?
> > I only want to filter out (not audit) access to audit.log from the
> > specific process /opt/splunkforwarder/bin/splunkd (and any forks it may
> > do).
>
> I think you might could make the helper app setgid and then filter that out.
>
> -a never,exit -F gid=xxx
>
> -Steve
>
Thanks for the ideas, but what we decided to do was redefine the problem a
little bit, which is that we didn't necessarily care if anybody read it, just
that we could audit modifications. So we changed it to:
-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b32 -S open -k LOG -k
audit
-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b64 -S open -k LOG -k
audit
That filters out reads while taking into consideration that files get sorted
after dirs (at least in the current rhel5 audit package).
Thanks for the help.
prev parent reply other threads:[~2011-12-02 15:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-29 20:38 filter specific file from specific program Lance Dillon
2011-12-01 17:56 ` David J. Fisher
2011-12-02 15:04 ` Steve Grubb
2011-12-02 15:27 ` Lance Dillon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1322839660.47441.YahooMailRC@web83810.mail.sp1.yahoo.com \
--to=riffraff169@yahoo.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox