Audit filtering by parent process path
Simon Außerlechner
s.ausserlechner at gmail.com
Tue Jan 8 05:09:57 UTC 2019
Hi,
Using the Linux kernel audit system I audit program executions with the
following audit rule.
-w /usr/sbin/my-program -p x -k my-program-audit-class
In order to keep the audit log clean I want to suppress executions of
my-program if done by a defined set of applications given their path.
Since the PPID is available in the audit log entry (type=SYSCALL), there
might be some means to filter out by parent program path at the time the
audit log is generated, however, I cannot find a solution, also not by
looking at audit_filter_rules(). Introducing helper scripts to clean up
audit.log by filtering out later on as well as distinguishing by
user/group, security context are not my preferred options.
Thank you,
Simon
More information about the Linux-audit
mailing list