[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Excluding events by command



On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <sgrubb redhat com> wrote:
>> my patch only allows for positive match, not negative matching. I was
>> afraid someone saying something like, '-a exit,always -S open -F
>> exe!=/bin/bash' but I suppose like any audit rule, it could be a
>> caveat emptor sort of thing.
>>
>> I'll modify that patch and resend it, but it doesn't help the current
>> situation.
>
> I was thinking something like
> -a exit,never -S open -F exe=/bin/bash

Oh, that works too.

Do you think it's worth me fixing up the patch to allow !=?


--
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]