> > Or if selinux is in force, create policy for the events you definitely > want, then look for those types (either subject or object) in your rule. > This is something I've seen before, where renames that are desired to be > audited use the provided system tools, but for locally developed > application code, they are made to run inside a certain type of a custom > executable and then that type is excluded from the rename syscall rule. > Ideally, the code which is written would self-audit a 1-liner like "I am > going to rename every file under dir /opt/special/stuff/" using > audit_log_user_message so you still have some idea what is happening (if > you care). > > Then your "my-rename" program subject type of my_rename_t can be used as > an exclude on the rule. Of course, the caller must then know to use this > rather than the standard utilities. >
This sounds useful and might solve our problem, will it be possible to share some examples on how this can be achieved? -- Anurag Aggarwal
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit