Audit filtering by parent process path
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Hi,
Using the Linux kernel audit system I audit program executions with the
following audit rule.
-w /usr/sbin/my-program -p x -k my-program-audit-class
In order to keep the audit log clean I want to suppress executions of
my-program if done by a defined set of applications given their path.
Since the PPID is available in the audit log entry (type=SYSCALL), there
might be some means to filter out by parent program path at the time the
audit log is generated, however, I cannot find a solution, also not by
looking at audit_filter_rules(). Introducing helper scripts to clean up
audit.log by filtering out later on as well as distinguishing by
user/group, security context are not my preferred options.
Thank you,
Simon
Hello,
On Tuesday, January 8, 2019 12:09:57 AM EST Simon Außerlechner wrote:
Using the Linux kernel audit system I audit program executions with
the
following audit rule.
-w /usr/sbin/my-program -p x -k my-program-audit-class
In order to keep the audit log clean I want to suppress executions of
my-program if done by a defined set of applications given their path.
Since the PPID is available in the audit log entry (type=SYSCALL), there
might be some means to filter out by parent program path at the time the
audit log is generated, however, I cannot find a solution, also not by
looking at audit_filter_rules().
There isn't a capability to have auditd or the kernel to filter based on the
parent program's name. We only have the numeric representation.
If your program is supposed to be launched only by a specific known program or
programs, this is possibly something selinux could help with. This way when
someone tries it at the command line you get an AVC. This would also assume
that you do not let people log in as unconfined_t. Another possibility is that
perhaps you can assign a supplemental group to your programs which launch
your other program. Have it check that its inherited the supplemental group
and exit if not. Or restrict execution by file permissions to that group. It
should then be possible to look for execution of that returning EPERM.
-Steve
Introducing helper scripts to clean up
audit.log by filtering out later on as well as distinguishing by
user/group, security context are not my preferred options.
Thank you,
Simon
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
2174
days inactive
2174
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
tags (0)
participants (2)
-
Simon Außerlechner -
Steve Grubb