Key based rate limiter (audit_set_rate_limit)
Anurag Aggarwal
anurag19aggarwal at gmail.com
Thu Mar 2 05:13:21 UTC 2023
>
> Or if selinux is in force, create policy for the events you definitely
> want, then look for those types (either subject or object) in your rule.
> This is something I've seen before, where renames that are desired to be
> audited use the provided system tools, but for locally developed
> application code, they are made to run inside a certain type of a custom
> executable and then that type is excluded from the rename syscall rule.
> Ideally, the code which is written would self-audit a 1-liner like "I am
> going to rename every file under dir /opt/special/stuff/" using
> audit_log_user_message so you still have some idea what is happening (if
> you care).
>
> Then your "my-rename" program subject type of my_rename_t can be used as
> an exclude on the rule. Of course, the caller must then know to use this
> rather than the standard utilities.
>
This sounds useful and might solve our problem, will it be possible to
share some examples on how this can be achieved?
--
Anurag Aggarwal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230302/16369057/attachment.htm>
More information about the Linux-audit
mailing list