From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lance Dillon Subject: Re: filter specific file from specific program Date: Fri, 2 Dec 2011 07:27:40 -0800 (PST) Message-ID: <1322839660.47441.YahooMailRC@web83810.mail.sp1.yahoo.com> References: <1322599123.7751.YahooMailRC@web83807.mail.sp1.yahoo.com> <201112021004.15671.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id pB2FRgc7032738 for ; Fri, 2 Dec 2011 10:27:42 -0500 Received: from nm6-vm1.access.bullet.mail.sp2.yahoo.com (nm6-vm1.access.bullet.mail.sp2.yahoo.com [98.139.44.115]) by mx1.redhat.com (8.14.4/8.14.4) with SMTP id pB2FRf1d020390 for ; Fri, 2 Dec 2011 10:27:41 -0500 In-Reply-To: <201112021004.15671.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com ----- Original Message ---- > From: Steve Grubb > To: linux-audit@redhat.com > Cc: Lance Dillon > Sent: Fri, December 2, 2011 10:04:15 AM > Subject: Re: filter specific file from specific program > > On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote: > > I have a need to filter a file from auditing, but only from a specific > > process. We are running splunk, and indexing /var/log/audit/audit.log. We > > want audit.log to be monitored, so we are using a dir watch on > > /var/log/audit, but we just don't want splunk access to be reported. > > Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it > > filters everything, not that specific process. > > The object is the file. The subject would be the program accessing the file. >You could > > use subj_type. > > > However, it actually spawns another process to do the actual access, so I >can't > > filter on pid either. It runs unconfined, > > Which is a big problem because you really don't want it to be unconfined. > > > so I can't filter on subj_type=unconfined_t, because that would filter way >too much. > > > > It was suggested to me to use audit roles. If this is something separate > > from selinux context, perhaps someone can point me in the right direction? > > I only want to filter out (not audit) access to audit.log from the > > specific process /opt/splunkforwarder/bin/splunkd (and any forks it may > > do). > > I think you might could make the helper app setgid and then filter that out. > > -a never,exit -F gid=xxx > > -Steve > Thanks for the ideas, but what we decided to do was redefine the problem a little bit, which is that we didn't necessarily care if anybody read it, just that we could audit modifications. So we changed it to: -a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b32 -S open -k LOG -k audit -a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b64 -S open -k LOG -k audit That filters out reads while taking into consideration that files get sorted after dirs (at least in the current rhel5 audit package). Thanks for the help.