We’re running Pritunl on Oracle Linux 8. Our host IDS (wazuh) throwing an alarm for the pritunl directory in /tmp. It looks like it has something to do with an SELinux policy.
Here’s what we’re getting from the IDS:
Anomaly detected in file '/tmp/pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
when I list /tmp with sudo ls -l /tmp
I get this:
ls: cannot access '/tmp/pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93': Permission denied
total 4
d?????????? ? ? ? ? ? pritunl_7d884ce22aad4b2bbb2c1ae1cc1b7a93
Is there any modification I can make to an SELinux policy to squash the IDS alarm while keeping things secure?