>
> Or if selinux is in force, create policy for the events you definitely
> want, then look for those types (either subject or object) in your rule.
> This is something I've seen before, where renames that are desired to be
> audited use the provided system tools, but for locally developed
> application code, they are made to run inside a certain type of a custom
> executable and then that type is excluded from the rename syscall rule.
> Ideally, the code which is written would self-audit a 1-liner like "I am
> going to rename every file under dir /opt/special/stuff/" using
> audit_log_user_message so you still have some idea what is happening (if
> you care).
>
> Then your "my-rename" program subject type of my_rename_t can be used as
> an exclude on the rule. Of course, the caller must then know to use this
> rather than the standard utilities.
>

This sounds useful and might solve our problem, will it be possible to
share some examples on how this can be achieved?

-- 
Anurag Aggarwal
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to