<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>On 3/1/23 22:13, Anurag Aggarwal wrote:<br>
</p>
<blockquote type="cite"
cite="mid:CAPoNrtvj1xXDXfgNe=r2ETqYYODqXqYn6LX=w=eGYon1PO2TBA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Or if selinux is in force, create policy for the events
you definitely want, then look for those types (either
subject or object) in your rule. This is something I've
seen before, where renames that are desired to be
audited use the provided system tools, but for locally
developed application code, they are made to run inside
a certain type of a custom executable and then that type
is excluded from the rename syscall rule. Ideally, the
code which is written would self-audit a 1-liner like "I
am going to rename every file under dir
/opt/special/stuff/" using audit_log_user_message so you
still have some idea what is happening (if you care).<br>
</p>
<p>Then your "my-rename" program subject type of
my_rename_t can be used as an exclude on the rule. Of
course, the caller must then know to use this rather
than the standard utilities.</p>
</div>
</blockquote>
<div><br>
</div>
<div>This sounds useful and might solve our problem, will it
be possible to share some examples on how this can be
achieved? </div>
</div>
</div>
</blockquote>
<p><br>
</p>
<p>Replying off-list as it is not specifically audit-focused. See
Paul, I CAN learn. 😁</p>
<p>LCB<br>
</p>
<pre class="moz-signature" cols="72">--
Lenny Bruzenak
MagitekLTD</pre>
</body>
</html>