On Wed, 2009-01-07 at 17:22 -0500, Steve Grubb wrote: > On Wednesday 07 January 2009 04:24:27 pm Starr-Renee Corbin wrote: > > Is there a way to run an auditctl command that will do both of the > > above? > > Not at this point. If the user filter in the kernel allowed type to be used, > you might stand a chance. But then there is no way to filter on cron being > the source in the kernel. > > User space originating audit events are sent as a string to the kernel. The > kernel does not parse strings and won't match against it. > > -Steve
in man auditctl you talk about the "exclude" list. Do you know if this maps to list number 0x05 ? Anyway, assuming so, I don't see a reason right off hand we couldn't pass the userspace audit messages through the exclude filter list (In kernel it's called the "type" filter list. -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
