On Thu, Mar 2, 2023 at 12:24 PM Lenny Bruzenak <le...@magitekltd.com> wrote: > On 3/1/23 22:13, Anurag Aggarwal wrote: >> >> Or if selinux is in force, create policy for the events you definitely want, >> then look for those types (either subject or object) in your rule. This is >> something I've seen before, where renames that are desired to be audited use >> the provided system tools, but for locally developed application code, they >> are made to run inside a certain type of a custom executable and then that >> type is excluded from the rename syscall rule. Ideally, the code which is >> written would self-audit a 1-liner like "I am going to rename every file >> under dir /opt/special/stuff/" using audit_log_user_message so you still >> have some idea what is happening (if you care). >> >> Then your "my-rename" program subject type of my_rename_t can be used as an >> exclude on the rule. Of course, the caller must then know to use this rather >> than the standard utilities. > > > This sounds useful and might solve our problem, will it be possible to share > some examples on how this can be achieved? > > Replying off-list as it is not specifically audit-focused. See Paul, I CAN > learn. 😁
;) -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
