Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5199

[RFE] implement selinux audit log filtering for syslog plugin

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • audit-4.0.3-1.el10
    • None
    • 1
    • rhel-security-special-projects
    • ssg_security
    • 26
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • SECENGSP Cycle 14
    • Feature
    • Hide
      .Rule-based filtering and forwarding of Audit events

      With the new `audisp-filter` plugin, you can suppress specific Audit events based on custom `ausearch` expressions in a flexible way, which should reduce unnecessary output to downstream plugins.

      This plugin acts as a bridge between Audit and other plugins. It filters out certain Audit events and forwards only those events that correspond to the rules specified in the configuration file.

      As a result, you can selectively filter Audit events by using allowlist or blocklist modes. Each plugin that uses the `audisp-filter` can define its own configuration file that contains matching rules. One common use case is to exclude noisy or irrelevant Audit events and forward only significant events to the syslog plugin. This allows the filtered events to be logged by syslog, making Audit logs more manageable.
      Show
      .Rule-based filtering and forwarding of Audit events With the new `audisp-filter` plugin, you can suppress specific Audit events based on custom `ausearch` expressions in a flexible way, which should reduce unnecessary output to downstream plugins. This plugin acts as a bridge between Audit and other plugins. It filters out certain Audit events and forwards only those events that correspond to the rules specified in the configuration file. As a result, you can selectively filter Audit events by using allowlist or blocklist modes. Each plugin that uses the `audisp-filter` can define its own configuration file that contains matching rules. One common use case is to exclude noisy or irrelevant Audit events and forward only significant events to the syslog plugin. This allows the filtered events to be logged by syslog, making Audit logs more manageable.
    • Done
    • None
    • 57,005

      We would like to have possibility to split AVC audit messages from other logs (i.e. store AVC messages apart from EXEC logs)

      Due to lack of the rsyslog feature (https://bugzilla.redhat.com/1860303) and the fact that it won't be implemented on a kernel level (https://bugzilla.redhat.com/1859965), the last hope is to get it implemented on userspace audit level.

      The idea is to have possibility to filter specific audit messages (i.e. via existing syslog plugin or other) according to their types, so the following audit message routing example would be possible:
      1) type=CWD -> syslog [facility0]
      2) type=EXECVE -> syslog [facility1]

              rh-ee-alakatos Attila Lakatos
              rhn-support-dbodnarc Dmitri Bodnarciuc
              Sergio Correia Sergio Correia
              SSG Security QE SSG Security QE
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: