Audit filtering by parent process path
Steve Grubb
sgrubb at redhat.com
Tue Jan 8 18:30:03 UTC 2019
Hello,
On Tuesday, January 8, 2019 12:09:57 AM EST Simon Außerlechner wrote:
> Using the Linux kernel audit system I audit program executions with the
> following audit rule.
>
> -w /usr/sbin/my-program -p x -k my-program-audit-class
>
> In order to keep the audit log clean I want to suppress executions of
> my-program if done by a defined set of applications given their path.
> Since the PPID is available in the audit log entry (type=SYSCALL), there
> might be some means to filter out by parent program path at the time the
> audit log is generated, however, I cannot find a solution, also not by
> looking at audit_filter_rules().
There isn't a capability to have auditd or the kernel to filter based on the
parent program's name. We only have the numeric representation.
If your program is supposed to be launched only by a specific known program or
programs, this is possibly something selinux could help with. This way when
someone tries it at the command line you get an AVC. This would also assume
that you do not let people log in as unconfined_t. Another possibility is that
perhaps you can assign a supplemental group to your programs which launch
your other program. Have it check that its inherited the supplemental group
and exit if not. Or restrict execution by file permissions to that group. It
should then be possible to look for execution of that returning EPERM.
-Steve
> Introducing helper scripts to clean up
> audit.log by filtering out later on as well as distinguishing by
> user/group, security context are not my preferred options.
>
> Thank you,
> Simon
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list