From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Richard Young" Subject: Excluding selected CRYPTO_KEY_USER events Date: Sat, 9 Jan 2016 10:26:06 -0600 Message-ID: <201601091626.u09GQVCl006045@d01av01.pok.ibm.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7551448458625577035==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u09GQZKW031873 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 9 Jan 2016 11:26:36 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx1.redhat.com (Postfix) with ESMTPS id 5D15B935D8 for ; Sat, 9 Jan 2016 16:26:35 +0000 (UTC) Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 9 Jan 2016 09:26:34 -0700 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 91D6C1FF0021 for ; Sat, 9 Jan 2016 09:14:42 -0700 (MST) Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u09GQVZs29032598 for ; Sat, 9 Jan 2016 16:26:31 GMT Received: from d01av01.pok.ibm.com (localhost [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u09GQVka006059 for ; Sat, 9 Jan 2016 11:26:31 -0500 Received: from d50lp02.ny.us.ibm.com (d50lp02.pok.ibm.com [146.89.104.208]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id u09GQVCl006045 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sat, 9 Jan 2016 11:26:31 -0500 Received: from /spool/local by d50lp02.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 9 Jan 2016 11:26:31 -0500 Received: from /spool/local by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for from ; Sat, 9 Jan 2016 16:26:28 -0000 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============7551448458625577035== Content-type: multipart/alternative; Boundary="0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A" Content-Disposition: inline --0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A Content-Transfer-Encoding: quoted-printable Content-type: text/plain; charset=US-ASCII I know I could exclude all msgtype CRYPTO=5FKEY=5FUSER audit events, but wo= uld like to exclude just specific ones. I would like to exclude ones for a specific UID, hostname, or IP. There are many example of how to exclude specific files, directory events, or syscall events. Can somebody suggest a way to suppress specific CRYPTO=5FKEY=5FUSER events = by UID, hostname, or IP? --0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A Content-Transfer-Encoding: quoted-printable Content-type: text/html; charset=US-ASCII Content-Disposition: inline

I know I could exclude all msgtype CRYPTO=5FKEY=5FUSER audit= events, but would like to exclude just specific ones.
I would like to e= xclude ones for a specific UID, hostname, or IP.

There are many exam= ple of how to exclude specific files, directory events, or syscall events.<= br>
Can somebody suggest a way to suppress specific CRYPTO=5FKEY=5FUSER = events by UID, hostname, or IP?


=


--0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A-- --===============7551448458625577035== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7551448458625577035==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Excluding selected CRYPTO_KEY_USER events Date: Sat, 09 Jan 2016 14:35:08 -0500 Message-ID: <7375597.LqIF3JQDdF@x2> References: <201601091626.u09GQVCl006045@d01av01.pok.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <201601091626.u09GQVCl006045@d01av01.pok.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Richard Young List-Id: linux-audit@redhat.com On Saturday, January 09, 2016 10:26:06 AM Richard Young wrote: > I know I could exclude all msgtype CRYPTO_KEY_USER audit events, but would > like to exclude just specific ones. > I would like to exclude ones for a specific UID, hostname, or IP. > > There are many example of how to exclude specific files, directory events, > or syscall events. > > Can somebody suggest a way to suppress specific CRYPTO_KEY_USER events by > UID, hostname, or IP? I opened a bz to ask for this capability a little over a month ago: https://bugzilla.redhat.com/show_bug.cgi?id=1287745 Unfortunately, I don't think you can do anything until that lands. This particular event comes from user space. So, the kernel cannot filter on IP address. And specifically, the kernel can never really filter on IP address because its typically not an argument to any but 2 or 3 syscalls. There is a chance that you might be able to use the USER filter if the selinux type is unique to whatever you wanted to remove. -a never,user -F subj_type=httpd_t -Steve