On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <[email protected]> wrote: >> my patch only allows for positive match, not negative matching. I was >> afraid someone saying something like, '-a exit,always -S open -F >> exe!=/bin/bash' but I suppose like any audit rule, it could be a >> caveat emptor sort of thing. >> >> I'll modify that patch and resend it, but it doesn't help the current >> situation. > > I was thinking something like > -a exit,never -S open -F exe=/bin/bash
Oh, that works too. Do you think it's worth me fixing up the patch to allow !=? -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
