Excluding a script / process and its descendants from audit
Paul Moore
paul at paul-moore.com
Thu Jul 14 21:38:51 UTC 2022
On Thu, Jul 14, 2022 at 3:01 PM Lenny Bruzenak <lenny at magitekltd.com> wrote:
> On 7/14/22 11:53, Stephen Smalley wrote:
> > Hi,
> >
> > Is it possible to exclude a script from triggering audit records?
> > I know that one can exclude an executable via -a never,exit -F
> > exe=/path/to/exe but I haven't been able to find a way to do the same
> > for a script.
> > Also, is there a way to have the exclusion applied to all child
> > processes spawned by the script?
>
> So - the way I've done this is to set policy for the script to run in a
> certain unique type, then exclude that subj_type.
>
> For child processes, if they are spawned with the parent context you are
> set, otherwise I'm sure macros exist to accommodate that and you would
> be more familiar with those than me.
Agree with Lenny, I can't think of anything better.
--
paul-moore.com
More information about the Linux-audit
mailing list