Excluding selected CRYPTO_KEY_USER events

Excluding selected CRYPTO_KEY_USER events

[Richard Young]

[-- Attachment #1.1: Type: text/plain, Size: 388 bytes --]


I know I could exclude all msgtype CRYPTO_KEY_USER audit events, but would
like to exclude just specific ones.
I would like to exclude ones for a specific UID, hostname, or IP.

There are many example of how to exclude specific files, directory events,
or syscall events.

Can somebody suggest a way to suppress specific CRYPTO_KEY_USER events by
UID, hostname, or IP?





[-- Attachment #1.2: Type: text/html, Size: 475 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Excluding selected CRYPTO_KEY_USER events

[Steve Grubb]

On Saturday, January 09, 2016 10:26:06 AM Richard Young wrote:
> I know I could exclude all msgtype CRYPTO_KEY_USER audit events, but would
> like to exclude just specific ones.
> I would like to exclude ones for a specific UID, hostname, or IP.
> 
> There are many example of how to exclude specific files, directory events,
> or syscall events.
> 
> Can somebody suggest a way to suppress specific CRYPTO_KEY_USER events by
> UID, hostname, or IP?

I opened a bz to ask for this capability a little over a month ago:
https://bugzilla.redhat.com/show_bug.cgi?id=1287745
Unfortunately, I don't think you can do anything until that lands.

This particular event comes from user space. So, the kernel cannot filter on IP 
address. And specifically, the kernel can never really filter on IP address 
because its typically not an argument to any but 2 or 3 syscalls.

There is a chance that you might be able to use the USER filter if the selinux 
type is unique to whatever you wanted to remove.

-a never,user -F subj_type=httpd_t

-Steve