Re: exclude rule help
On Thu, 2009-06-25 at 20:22 -0400, Steve Grubb wrote:
On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> Anyone have a good idea of how to discard all these events? Ideally the
> caller would send in a self-generated event such as "ryncing rick/src2/
> to /temp-home" or similar. This is for a dedicated file backup
> procedure.
>
> Obviously I do not want to discard all rsync events, just when launched
> by our trusted program. Nor would I really want all that program's
> events discarded since I want it to be able to submit proactive events
> which summarize its behavior.
With SE Linux, you can create different subject types based on how the
application was started. Then you can exclude based on the type you assign to
your subject whenever started by your trusted program.
-Steve
Right, but wouldn't that preclude that same program from being able to
proactively submit its own records and also stop any inadvertent audit
events?
I guess I could:
1: start the first process with type1, let type1 audit what it plans to
do, then it could fork/exec/transition to type2.
2: the new process type2 could then run the rsync stuff. I could exclude
all the type2 records
3: the parent would wait for the child to complete and, based on the
exit code, audit success/failure as appropriate?
I guess this is the best way forward, however it scares me a little that
no events will then be logged from the process of that type2. If I
protect it I guess it's OK.
Thx!
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com