Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5199

[RFE] implement selinux audit log filtering for syslog plugin

XMLWordPrintable

    • audit-4.0.3-1.el10
    • None
    • 1
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • 2
    • False
    • Hide

      None

      Show
      None
    • Yes
    • SECENGSP Cycle 14
    • If docs needed, set a value
    • None

      We would like to have possibility to split AVC audit messages from other logs (i.e. store AVC messages apart from EXEC logs)

      Due to lack of the rsyslog feature (https://bugzilla.redhat.com/1860303) and the fact that it won't be implemented on a kernel level (https://bugzilla.redhat.com/1859965), the last hope is to get it implemented on userspace audit level.

      The idea is to have possibility to filter specific audit messages (i.e. via existing syslog plugin or other) according to their types, so the following audit message routing example would be possible:
      1) type=CWD -> syslog [facility0]
      2) type=EXECVE -> syslog [facility1]

              rh-ee-alakatos Attila Lakatos
              rhn-support-dbodnarc Dmitri Bodnarciuc
              Sergio Correia Sergio Correia
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: