Key based rate limiter (audit_set_rate_limit)
Lenny Bruzenak
lenny at magitekltd.com
Thu Mar 2 17:24:13 UTC 2023
On 3/1/23 22:13, Anurag Aggarwal wrote:
> Or if selinux is in force, create policy for the events you
> definitely want, then look for those types (either subject or
> object) in your rule. This is something I've seen before, where
> renames that are desired to be audited use the provided system
> tools, but for locally developed application code, they are made
> to run inside a certain type of a custom executable and then that
> type is excluded from the rename syscall rule. Ideally, the code
> which is written would self-audit a 1-liner like "I am going to
> rename every file under dir /opt/special/stuff/" using
> audit_log_user_message so you still have some idea what is
> happening (if you care).
>
> Then your "my-rename" program subject type of my_rename_t can be
> used as an exclude on the rule. Of course, the caller must then
> know to use this rather than the standard utilities.
>
>
> This sounds useful and might solve our problem, will it be possible to
> share some examples on how this can be achieved?
Replying off-list as it is not specifically audit-focused. See Paul, I
CAN learn. 😁
LCB
--
Lenny Bruzenak
MagitekLTD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230302/6e79a3a3/attachment.htm>
More information about the Linux-audit
mailing list