----- Original Message ----
> From: Steve Grubb <[email protected]>
> To: [email protected]
> Cc: Lance Dillon <[email protected]>
> Sent: Fri, December 2, 2011 10:04:15 AM
> Subject: Re: filter specific file from specific program
>
> On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote:
> > I have a need to filter a file from auditing, but only from a specific
> > process. We are running splunk, and indexing /var/log/audit/audit.log. We
> > want audit.log to be monitored, so we are using a dir watch on
> > /var/log/audit, but we just don't want splunk access to be reported.
> > Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because it
> > filters everything, not that specific process.
>
> The object is the file. The subject would be the program accessing the file.
>You could
>
> use subj_type.
>
> > However, it actually spawns another process to do the actual access, so I
>can't
> > filter on pid either. It runs unconfined,
>
> Which is a big problem because you really don't want it to be unconfined.
>
> > so I can't filter on subj_type=unconfined_t, because that would filter way
>too much.
> >
> > It was suggested to me to use audit roles. If this is something separate
> > from selinux context, perhaps someone can point me in the right direction?
> > I only want to filter out (not audit) access to audit.log from the
> > specific process /opt/splunkforwarder/bin/splunkd (and any forks it may
> > do).
>
> I think you might could make the helper app setgid and then filter that out.
>
> -a never,exit -F gid=xxx
>
> -Steve
>
Thanks for the ideas, but what we decided to do was redefine the problem a
little bit, which is that we didn't necessarily care if anybody read it, just
that we could audit modifications. So we changed it to:
-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b32 -S open -k LOG -k
audit
-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b64 -S open -k LOG -k
audit
That filters out reads while taking into consideration that files get sorted
after dirs (at least in the current rhel5 audit package).
Thanks for the help.
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
