need rules help - solved
LC Bruzenak
lenny at magitekltd.com
Thu Aug 6 15:10:30 UTC 2009
On Wed, 2009-08-05 at 21:45 -0500, LC Bruzenak wrote:
>
> I thought that the following would work:
> -a never,exit -F subj_type=jcdx_mtdb_t -F obj_type=jcdx_stdb_var_t
Sorry for the false alarm. This one is operator error (at least I think
it is; will retest better, so far it appears to work as advertised).
I realized I had a rule to audit that event in the list.
This one needs the "-A' vice "-a" to ensure it goes to the head of the
rule line.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list