On 11/17/2014 09:30 AM, Steve Grubb wrote:
Well, what do you really want to do? In general, I'd look at the
original
auditing rule to see if its scope can be narrowed. In this case, it appears
that you are wanting all calls to chmod. Why? Are you more concerned with
failed calls to chmod, meaning a user is trying to change system files? Are
system daemons calling chmod OK? Or do you really want everything? Or do you
want no events at all for that daemon no matter what the syscall?
The event you are showing is that app successfully making a directory world
writable/readable. Its setting the sticky bit, so its "safe."
I think
this is auditing because the supplied STIG rules specify it.
The "perm_mod" key is the hint. You probably do not want to remove this
rule for all chmod syscalls.
You cannot exclude an executable itself from the rule set by name.
The "exclude" option only applies to event types.
You could exclude it by type, except it is running as a generic
unconfined_t.
Perhaps it can be mitigated by "-F path !=<path>" or something similar.
Check the auditctl man page for options.
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com