On Wednesday 07 January 2009 04:24:27 pm Starr-Renee Corbin wrote: > Is there a way to run an auditctl command that will do both of the > above?
Not at this point. If the user filter in the kernel allowed type to be used, you might stand a chance. But then there is no way to filter on cron being the source in the kernel. User space originating audit events are sent as a string to the kernel. The kernel does not parse strings and won't match against it. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
