exclude rule help
Steve Grubb
sgrubb at redhat.com
Fri Jun 26 00:22:38 UTC 2009
On Thursday 25 June 2009 06:01:08 pm LC Bruzenak wrote:
> Anyone have a good idea of how to discard all these events? Ideally the
> caller would send in a self-generated event such as "ryncing rick/src2/
> to /temp-home" or similar. This is for a dedicated file backup
> procedure.
>
> Obviously I do not want to discard all rsync events, just when launched
> by our trusted program. Nor would I really want all that program's
> events discarded since I want it to be able to submit proactive events
> which summarize its behavior.
With SE Linux, you can create different subject types based on how the
application was started. Then you can exclude based on the type you assign to
your subject whenever started by your trusted program.
-Steve
More information about the Linux-audit
mailing list