From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit filtering by parent process path
Date: Tue, 08 Jan 2019 13:30:03 -0500
Message-ID: <2869682.JbjiAQzMxm@x2>
References: <5061c49c-2d0d-0fb1-f303-968b53637b17@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5061c49c-2d0d-0fb1-f303-968b53637b17@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Simon =?ISO-8859-1?Q?Au=DFerlechner?= <s.ausserlechner@gmail.com>
List-Id: linux-audit@redhat.com

Hello,

On Tuesday, January 8, 2019 12:09:57 AM EST Simon Au=DFerlechner wrote:
> Using the Linux kernel audit system I audit program executions with the
> following audit rule.
> =

> -w /usr/sbin/my-program -p x -k my-program-audit-class
> =

> In order to keep the audit log clean I want to suppress executions of
> my-program if done by a defined set of applications given their path.
> Since the PPID is available in the audit log entry (type=3DSYSCALL), there
> might be some means to filter out by parent program path at the time the
> audit log is generated, however, I cannot find a solution, also not by
> looking at audit_filter_rules().

There isn't a capability to have auditd or the kernel to filter based on th=
e =

parent program's name. We only have the numeric representation.

If your program is supposed to be launched only by a specific known program=
 or =

programs, this is possibly something selinux could help with. This way when =

someone tries it at the command line you get an AVC. This would also assume =

that you do not let people log in as unconfined_t. Another possibility is t=
hat =

perhaps you can assign a supplemental group to your programs which launch =

your other program. Have it check that its inherited the supplemental group =

and exit if not. Or restrict execution by file permissions to that group. I=
t =

should then be possible to look for execution of that returning EPERM.

-Steve

> Introducing helper scripts to clean up
> audit.log by filtering out later on as well as distinguishing by
> user/group, security context are not my preferred options.
> =

> Thank you,
> Simon
> =

> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit