On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote: > I have a need to filter a file from auditing, but only from a specific > process. We are running splunk, and indexing /var/log/audit/audit.log. We > want audit.log to be monitored, so we are using a dir watch on > /var/log/audit, but we just don't want splunk access to be reported. > Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it > filters everything, not that specific process.
The object is the file. The subject would be the program accessing the file. You could use subj_type. > However, it actually spawns another process to do the actual access, so I > can't > filter on pid either. It runs unconfined, Which is a big problem because you really don't want it to be unconfined. > so I can't filter on subj_type=unconfined_t, because that would filter way > too much. > > It was suggested to me to use audit roles. If this is something separate > from selinux context, perhaps someone can point me in the right direction? > I only want to filter out (not audit) access to audit.log from the > specific process /opt/splunkforwarder/bin/splunkd (and any forks it may > do). I think you might could make the helper app setgid and then filter that out. -a never,exit -F gid=xxx -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
