* Audit filtering by parent process path
@ 2019-01-08 5:09 Simon Außerlechner
2019-01-08 18:30 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Simon Außerlechner @ 2019-01-08 5:09 UTC (permalink / raw)
To: linux-audit
Hi,
Using the Linux kernel audit system I audit program executions with the
following audit rule.
-w /usr/sbin/my-program -p x -k my-program-audit-class
In order to keep the audit log clean I want to suppress executions of
my-program if done by a defined set of applications given their path.
Since the PPID is available in the audit log entry (type=SYSCALL), there
might be some means to filter out by parent program path at the time the
audit log is generated, however, I cannot find a solution, also not by
looking at audit_filter_rules(). Introducing helper scripts to clean up
audit.log by filtering out later on as well as distinguishing by
user/group, security context are not my preferred options.
Thank you,
Simon
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Audit filtering by parent process path
2019-01-08 5:09 Audit filtering by parent process path Simon Außerlechner
@ 2019-01-08 18:30 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2019-01-08 18:30 UTC (permalink / raw)
To: linux-audit; +Cc: Simon Außerlechner
Hello,
On Tuesday, January 8, 2019 12:09:57 AM EST Simon Außerlechner wrote:
> Using the Linux kernel audit system I audit program executions with the
> following audit rule.
>
> -w /usr/sbin/my-program -p x -k my-program-audit-class
>
> In order to keep the audit log clean I want to suppress executions of
> my-program if done by a defined set of applications given their path.
> Since the PPID is available in the audit log entry (type=SYSCALL), there
> might be some means to filter out by parent program path at the time the
> audit log is generated, however, I cannot find a solution, also not by
> looking at audit_filter_rules().
There isn't a capability to have auditd or the kernel to filter based on the
parent program's name. We only have the numeric representation.
If your program is supposed to be launched only by a specific known program or
programs, this is possibly something selinux could help with. This way when
someone tries it at the command line you get an AVC. This would also assume
that you do not let people log in as unconfined_t. Another possibility is that
perhaps you can assign a supplemental group to your programs which launch
your other program. Have it check that its inherited the supplemental group
and exit if not. Or restrict execution by file permissions to that group. It
should then be possible to look for execution of that returning EPERM.
-Steve
> Introducing helper scripts to clean up
> audit.log by filtering out later on as well as distinguishing by
> user/group, security context are not my preferred options.
>
> Thank you,
> Simon
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-08 18:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-01-08 5:09 Audit filtering by parent process path Simon Außerlechner
2019-01-08 18:30 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox