I have a need to filter a file from auditing, but only from a specific process.
We are running splunk, and indexing /var/log/audit/audit.log. We want audit.log
to be monitored, so we are using a dir watch on /var/log/audit, but we just
don't want splunk access to be reported. Filtering on obj_type doesn't work (-F
obj_type=auditd_log_t), because it filters everything, not that specific
process. However, it actually spawns another process to do the actual access,
so I can't filter on pid either. It runs unconfined, so I can't filter on
subj_type=unconfined_t, because that would filter way too much.
It was suggested to me to use audit roles. If this is something separate from
selinux context, perhaps someone can point me in the right direction? I only
want to filter out (not audit) access to audit.log from the specific process
/opt/splunkforwarder/bin/splunkd (and any forks it may do).
I've been looking at creating a separate selinux context for splunk, which will
do the trick, but is proving harder than I thought because it ends up forking
off other programs, like top and rpm and nptdate, that run under different
contexts than splunk (unconfined_t, rpm_t, and ntpdate_t respectively), so being
confined to a splunk_t type prevents those programs from running properly.
If anybody has any idea, or can point me in the right direction, i would
appreciate it.
Thanks