Re: Excluding few executable from audit.rules in redhat6.5

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: linux-audit@redhat.com
Subject: Re: Excluding few executable from audit.rules  in redhat6.5
Date: Mon, 17 Nov 2014 10:14:59 -0600	[thread overview]
Message-ID: <546A1F03.3030805@magitekltd.com> (raw)
In-Reply-To: <2049003.dURlEamkhM@x2>


[-- Attachment #1.1: Type: text/plain, Size: 1211 bytes --]

On 11/17/2014 09:30 AM, Steve Grubb wrote:
> Well, what do you really want to do? In general, I'd look at the original 
> auditing rule to see if its scope can be narrowed. In this case, it appears 
> that you are wanting all calls to chmod. Why? Are you more concerned with 
> failed calls to chmod, meaning a user is trying to change system files? Are 
> system daemons calling chmod OK? Or do you really want everything? Or do you 
> want no events at all for that daemon no matter what the syscall?
>
> The event you are showing is that app successfully making a directory world 
> writable/readable. Its setting the sticky bit, so its "safe."
I think this is auditing because the supplied STIG rules specify it.
The "perm_mod" key is the hint. You probably do not want to remove this
rule for all chmod syscalls.

You cannot exclude an executable itself from the rule set by name.
The "exclude" option only applies to event types.
 
You could exclude it by type, except it is running as a generic
unconfined_t.
Perhaps it can be mitigated by "-F path !=<path>" or something similar.
Check the auditctl man page for options.

LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com



[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 2193 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

next prev parent reply	other threads:[~2014-11-17 16:14 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-17 15:02 Excluding few executable from audit.rules in redhat6.5 Tilden Doran D
2014-11-17 15:30 ` Steve Grubb
2014-11-17 16:14   ` LC Bruzenak [this message]
2014-11-17 16:42     ` Steve Grubb
2014-11-17 17:09       ` Steve Grubb
2014-11-18 10:22         ` Tilden Doran D
2014-11-18 15:25           ` Steve Grubb
2014-11-19  5:38             ` Tilden Doran D
2014-11-19 15:31               ` Steve Grubb
2014-11-18 10:10   ` Tilden Doran D

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=546A1F03.3030805@magitekltd.com \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).