On Wednesday 07 January 2009 05:40:14 pm Eric Paris wrote: > in man auditctl you talk about the "exclude" list.
Yes, I thought about that, too. This is what you have to work with: type=USER_START msg=audit(1231365661.252:161): user pid=4681 uid=0 auid=0 ses=14 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 This part is a string and cannot be matched against: msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' If the type filter allows matching by selinux context, then you might be able to say: -a always,exclude -F msgtype=USER_START -F auid=0 -F subj_type=crond_t -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
