We want to audit certain syscalls (e.g. -a always,exit -F arch=b64 -S fchown) but we also want to ignore use of these syscalls by certain applications which we are not concerned about. How can we “whitelist” specific commands to keep them from triggering on an audit rule and generating an event?
In modern versions of RHEL it’s possible to build syscall-auditing rules that also filter based on:
- target file path, where applicable
- process PID, PPID
- process user, group
- process (subject) SELinux context (e.g., type or role)
- target resource (object) SELinux context (e.g., type or role)
For details on the above, check the below post.
Note however that it is not possible to add executable paths to a syscall rule with -F path!=/bin/xxxx or -F path=/bin/xxxx. The former (path!=) is not allowed and the latter (path=) will restrict the rule to matching syscalls that operate on that file
The release of RHEL 7.3 included updated userspace & kernelspace components that allow auditing based on executable name using -F exe=/path/to/executable (full path is required and the != operator is not allowed)