On Tuesday, September 18, 2012 10:31:57 AM Peter Moody wrote: > On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <[email protected]> wrote: > >> my patch only allows for positive match, not negative matching. I was > >> afraid someone saying something like, '-a exit,always -S open -F > >> exe!=/bin/bash' but I suppose like any audit rule, it could be a > >> caveat emptor sort of thing. > >> > >> I'll modify that patch and resend it, but it doesn't help the current > >> situation. > > > > I was thinking something like > > -a exit,never -S open -F exe=/bin/bash > > Oh, that works too. > > Do you think it's worth me fixing up the patch to allow !=?
No. The path and dir fields do not allow it. These should all be consistent. Thanks, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
