crond
Eric Paris
eparis at redhat.com
Wed Jan 7 22:40:14 UTC 2009
On Wed, 2009-01-07 at 17:22 -0500, Steve Grubb wrote:
> On Wednesday 07 January 2009 04:24:27 pm Starr-Renee Corbin wrote:
> > Is there a way to run an auditctl command that will do both of the
> > above?
>
> Not at this point. If the user filter in the kernel allowed type to be used,
> you might stand a chance. But then there is no way to filter on cron being
> the source in the kernel.
>
> User space originating audit events are sent as a string to the kernel. The
> kernel does not parse strings and won't match against it.
>
> -Steve
in man auditctl you talk about the "exclude" list. Do you know if this
maps to list number 0x05 ? Anyway, assuming so, I don't see a reason
right off hand we couldn't pass the userspace audit messages through the
exclude filter list (In kernel it's called the "type" filter list.
-Eric
More information about the Linux-audit
mailing list