exclude rule help

exclude rule help

[LC Bruzenak]

I'm trying to create an audit rule to exclude all rsync actions when run
by a process with a certain subject type (jcdx_fsbackup_t).

Our policy allows the action to happen, however as a result we generate
a ton of audit data on file access and recreation at the target point.

Anyone have a good idea of how to discard all these events? Ideally the
caller would send in a self-generated event such as "ryncing rick/src2/
to /temp-home" or similar. This is for a dedicated file backup
procedure.

Obviously I do not want to discard all rsync events, just when launched
by our trusted program. Nor would I really want all that program's
events discarded since I want it to be able to submit proactive events
which summarize its behavior.

Below are some event samples. Other ideas are welcome also if my
approach is myopic/flawed.

Thx,
LCB. 

----
node=develop.local.austin.rr.com type=PATH msg=audit(06/22/2009 15:05:37.017:901990) : item=0 name=rick/path1/path2/path3/k4jtCX inode=203842 dev=fd:04 mode=file,600 ouid=root ogid=unknown(1106) rdev=00:00 obj=siterep_u:object_r:user_home_t:s0 
node=develop.local.austin.rr.com type=CWD msg=audit(06/22/2009 15:05:37.017:901990) :  cwd=/temp_home 
node=develop.local.austin.rr.com type=SYSCALL msg=audit(06/22/2009 15:05:37.017:901990) : arch=x86_64 syscall=lchown success=yes exit=0 a0=7ffff2994e30 a1=1f7 a2=44c a3=1 items=1 ppid=5445 pid=5446 auid=rick uid=root gid=unknown(1106) euid=root suid=root fsuid=root egid=unknown(1106) sgid=unknown(1106) fsgid=unknown(1106) tty=pts2 ses=1 comm=rsync exe=/usr/bin/rsync subj=siterep_u:siterep_r:dx_fsbackup_t:s15:c0.c1023 key=perm_mod 

...

----
node=develop.local.austin.rr.com type=PATH msg=audit(06/22/2009 15:05:37.017:901997) : item=3 name=rick/path1/path2/path3/f1 inode=203843 dev=fd:04 mode=file,444 ouid=unknown(503) ogid=unknown(1100) rdev=00:00 obj=system_u:object_r:user_home_t:s0 
node=develop.local.austin.rr.com type=PATH msg=audit(06/22/2009 15:05:37.017:901997) : item=2 name=rick/path1/path2/path3/f2 inode=203843 dev=fd:04 mode=file,444 ouid=unknown(503) ogid=unknown(1100) rdev=00:00 obj=system_u:object_r:user_home_t:s0 
node=develop.local.austin.rr.com type=PATH msg=audit(06/22/2009 15:05:37.017:901997) : item=1 name=rick/path1/path2/path3/d1 inode=203324 dev=fd:04 mode=dir,755 ouid=unknown(503) ogid=unknown(1100) rdev=00:00 obj=system_u:object_r:user_home_t:s0 
node=develop.local.austin.rr.com type=PATH msg=audit(06/22/2009 15:05:37.017:901997) : item=0 name=rick/path1/path2/path3/d2 inode=203324 dev=fd:04 mode=dir,755 ouid=unknown(503) ogid=unknown(1100) rdev=00:00 obj=system_u:object_r:user_home_t:s0 
node=develop.local.austin.rr.com type=CWD msg=audit(06/22/2009 15:05:37.017:901997) :  cwd=/temp_home 
node=develop.local.austin.rr.com type=SYSCALL msg=audit(06/22/2009 15:05:37.017:901997) : arch=x86_64 syscall=rename success=yes exit=0 a0=7ffff2994e30 a1=7ffff2996e30 a2=0 a3=0 items=4 ppid=5445 pid=5446 auid=rick uid=root gid=unknown(1106) euid=root suid=root fsuid=root egid=unknown(1106) sgid=unknown(1106) fsgid=unknown(1106) tty=pts2 ses=1 comm=rsync exe=/usr/bin/rsync subj=siterep_u:siterep_r:dx_fsbackup_t:s15:c0.c1023 key=delete 

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: exclude rule help

[Steve Grubb]

On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> Anyone have a good idea of how to discard all these events? Ideally the
> caller would send in a self-generated event such as "ryncing rick/src2/
> to /temp-home" or similar. This is for a dedicated file backup
> procedure.
>
> Obviously I do not want to discard all rsync events, just when launched
> by our trusted program. Nor would I really want all that program's
> events discarded since I want it to be able to submit proactive events
> which summarize its behavior.

With SE Linux, you can create different subject types based on how the 
application was started. Then you can exclude based on the type you assign to 
your subject whenever started by your trusted program.

-Steve

Re: exclude rule help

[LC Bruzenak]

On Thu, 2009-06-25 at 20:22 -0400, Steve Grubb wrote:
> On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> > Anyone have a good idea of how to discard all these events? Ideally the
> > caller would send in a self-generated event such as "ryncing rick/src2/
> > to /temp-home" or similar. This is for a dedicated file backup
> > procedure.
> >
> > Obviously I do not want to discard all rsync events, just when launched
> > by our trusted program. Nor would I really want all that program's
> > events discarded since I want it to be able to submit proactive events
> > which summarize its behavior.
> 
> With SE Linux, you can create different subject types based on how the 
> application was started. Then you can exclude based on the type you assign to 
> your subject whenever started by your trusted program.
> 
> -Steve

Right, but wouldn't that preclude that same program from being able to
proactively submit its own records and also stop any inadvertent audit
events?

I guess I could:
1: start the first process with type1, let type1 audit what it plans to
do, then it could fork/exec/transition to type2.
2: the new process type2 could then run the rsync stuff. I could exclude
all the type2 records
3: the parent would wait for the child to complete and, based on the
exit code, audit success/failure as appropriate?

I guess this is the best way forward, however it scares me a little that
no events will then be logged from the process of that type2. If I
protect it I guess it's OK.

Thx!
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com