From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?UTF-8?Q?Simon_Au=c3=9ferlechner?= <s.ausserlechner@gmail.com>
Subject: Audit filtering by parent process path
Date: Tue, 8 Jan 2019 06:09:57 +0100
Message-ID: <5061c49c-2d0d-0fb1-f303-968b53637b17@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com
	[10.5.110.26])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 845E719C65
	for <linux-audit@redhat.com>; Tue,  8 Jan 2019 05:10:01 +0000 (UTC)
Received: from mail-ed1-f48.google.com (mail-ed1-f48.google.com
	[209.85.208.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id D0D6087643
	for <linux-audit@redhat.com>; Tue,  8 Jan 2019 05:09:59 +0000 (UTC)
Received: by mail-ed1-f48.google.com with SMTP id x30so2969392edx.2
	for <linux-audit@redhat.com>; Mon, 07 Jan 2019 21:09:59 -0800 (PST)
Received: from [172.16.0.114] (adsl-84-226-43-248.adslplus.ch. [84.226.43.248])
	by smtp.googlemail.com with ESMTPSA id
	m14sm39483328edc.27.2019.01.07.21.09.57 for <linux-audit@redhat.com>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 07 Jan 2019 21:09:57 -0800 (PST)
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

Using the Linux kernel audit system I audit program executions with the
following audit rule.

-w /usr/sbin/my-program -p x -k my-program-audit-class

In order to keep the audit log clean I want to suppress executions of
my-program if done by a defined set of applications given their path.
Since the PPID is available in the audit log entry (type=SYSCALL), there
might be some means to filter out by parent program path at the time the
audit log is generated, however, I cannot find a solution, also not by
looking at audit_filter_rules(). Introducing helper scripts to clean up
audit.log by filtering out later on as well as distinguishing by
user/group, security context are not my preferred options.

Thank you,
Simon