On Wed, 2009-01-07 at 17:52 -0500, Steve Grubb wrote: > On Wednesday 07 January 2009 05:40:14 pm Eric Paris wrote: > > in man auditctl you talk about the "exclude" list. > > Yes, I thought about that, too. This is what you have to work with: > > type=USER_START msg=audit(1231365661.252:161): user pid=4681 uid=0 auid=0 > ses=14 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 > > This part is a string and cannot be matched against: > msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, > addr=?, terminal=cron res=success)' > > If the type filter allows matching by selinux context, then you might be able > to say:
of course not, it allows matching only on type. I can push type matching down into the user filter though (that was my original thought) I'll try to remember to poke it tomorrow..... -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
