On Fri, 21 Apr 2006 19:44:55 EDT, Steve Grubb said: > -a always,exclude -F msgtype=EXECVE > > Problem Solved (tm).
Damn, I read the patch over like 3 times, and didn't twig into it using AUDIT_EXECVE (1309) - I managed to convince myself this was an expansion of the record cut for the execve under AUDIT_SYSCALL (1300). <mode="Emily Litella"> Nevermind... </mode> :)
pgpQaLrSP3z5c.pgp
Description: PGP signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
