filter specific file from specific program

Lance Dillon riffraff169 at yahoo.com
Fri Dec 2 15:27:40 UTC 2011 




----- Original Message ----
> From: Steve Grubb <sgrubb at redhat.com>
> To: linux-audit at redhat.com
> Cc: Lance Dillon <riffraff169 at yahoo.com>
> Sent: Fri, December 2, 2011 10:04:15 AM
> Subject: Re: filter specific file from specific program
> 
> On Tuesday, November 29, 2011 03:38:43 PM Lance Dillon wrote:
> > I have a  need to filter a file from auditing, but only from a specific
> > process.  We are running splunk, and indexing /var/log/audit/audit.log.  We
> >  want audit.log to be monitored, so we are using a dir watch on
> >  /var/log/audit, but we just don't want splunk access to be reported. 
> >  Filtering on obj_type doesn't work (-F obj_type=auditd_log_t), because  it
> > filters everything, not that specific process. 
> 
> The object is  the file. The subject would be the program accessing the file. 
>You could 
>
> use  subj_type.
> 
> > However, it actually spawns another process to do the  actual access, so I 
>can't
> > filter on pid either.  It runs  unconfined, 
> 
> Which is a big problem because you really don't want it to  be unconfined.
> 
> > so I can't filter on subj_type=unconfined_t, because  that would filter way 
>too much.
> >
> > It was suggested to me to use  audit roles.  If this is something separate
> > from selinux context,  perhaps someone can point me in the right direction?
> > I only want to  filter out (not audit) access to audit.log from the
> > specific process  /opt/splunkforwarder/bin/splunkd (and any forks it may
> > do).
> 
> I  think you might could make the helper app setgid and then filter that  out.
> 
> -a never,exit -F gid=xxx
> 
> -Steve
>


Thanks for the ideas, but what we decided to do was redefine the problem a 
little bit, which is that we didn't necessarily care if anybody read it, just 
that we could audit modifications.  So we changed it to:

-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b32 -S open -k LOG -k 
audit
-a exit,always -F dir=/var/log/audit -F perm=wa -F arch=b64 -S open -k LOG -k 
audit

That filters out reads while taking into consideration that files get sorted 
after dirs (at least in the current rhel5 audit package).

Thanks for the help.

More information about the Linux-audit mailing list