crond
Eric Paris
eparis at redhat.com
Wed Jan 7 22:59:35 UTC 2009
On Wed, 2009-01-07 at 17:52 -0500, Steve Grubb wrote:
> On Wednesday 07 January 2009 05:40:14 pm Eric Paris wrote:
> > in man auditctl you talk about the "exclude" list.
>
> Yes, I thought about that, too. This is what you have to work with:
>
> type=USER_START msg=audit(1231365661.252:161): user pid=4681 uid=0 auid=0
> ses=14 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
>
> This part is a string and cannot be matched against:
> msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'
>
> If the type filter allows matching by selinux context, then you might be able
> to say:
of course not, it allows matching only on type.
I can push type matching down into the user filter though (that was my
original thought)
I'll try to remember to poke it tomorrow.....
-Eric
More information about the Linux-audit
mailing list