Re: Audit filtering by parent process path

[Steve Grubb <sgrubb@redhat.com>]

Hello,

On Tuesday, January 8, 2019 12:09:57 AM EST Simon Außerlechner wrote:
> Using the Linux kernel audit system I audit program executions with the
> following audit rule.
> 
> -w /usr/sbin/my-program -p x -k my-program-audit-class
> 
> In order to keep the audit log clean I want to suppress executions of
> my-program if done by a defined set of applications given their path.
> Since the PPID is available in the audit log entry (type=SYSCALL), there
> might be some means to filter out by parent program path at the time the
> audit log is generated, however, I cannot find a solution, also not by
> looking at audit_filter_rules().

There isn't a capability to have auditd or the kernel to filter based on the 
parent program's name. We only have the numeric representation.

If your program is supposed to be launched only by a specific known program or 
programs, this is possibly something selinux could help with. This way when 
someone tries it at the command line you get an AVC. This would also assume 
that you do not let people log in as unconfined_t. Another possibility is that 
perhaps you can assign a supplemental group to your programs which launch 
your other program. Have it check that its inherited the supplemental group 
and exit if not. Or restrict execution by file permissions to that group. It 
should then be possible to look for execution of that returning EPERM.

-Steve

> Introducing helper scripts to clean up
> audit.log by filtering out later on as well as distinguishing by
> user/group, security context are not my preferred options.
> 
> Thank you,
> Simon
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit