Not auditing dispatchers

Not auditing dispatchers

[Matthew Booth]

The kernel ignores auditable events from the audit daemon, but is there 
an 'approved' way to achieve the same for dispatchers? The problem is 
the same, in that you get an infinite loop if the dispatcher itself 
performs any action which generates an audit record.

Thanks,

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

Re: Not auditing dispatchers

[Linda Knippers]

You could construct your audit rules dynamically so that they
exclude the dispatcher.  You'd have to know its pid and then have
a -F pid!= xxx option on your audit rules.  I haven't tried that
but it should work.  You'd have to re-do the rules if the dispatcher
was restarted so its kind of clunky.

I think the feature that LAuS had for letting trusted programs
enable/disable auditing of themselves was kind of handy.

-- ljk

Matthew Booth wrote:
> The kernel ignores auditable events from the audit daemon, but is there
> an 'approved' way to achieve the same for dispatchers? The problem is
> the same, in that you get an infinite loop if the dispatcher itself
> performs any action which generates an audit record.
> 
> Thanks,
> 
> Matt