[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Excluding events by command



On Tuesday, September 18, 2012 10:31:57 AM Peter Moody wrote:
> On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <sgrubb redhat com> wrote:
> >> my patch only allows for positive match, not negative matching. I was
> >> afraid someone saying something like, '-a exit,always -S open -F
> >> exe!=/bin/bash' but I suppose like any audit rule, it could be a
> >> caveat emptor sort of thing.
> >> 
> >> I'll modify that patch and resend it, but it doesn't help the current
> >> situation.
> > 
> > I was thinking something like
> > -a exit,never -S open -F exe=/bin/bash
> 
> Oh, that works too.
> 
> Do you think it's worth me fixing up the patch to allow !=?

No. The path and dir fields do not allow it. These should all be consistent.

Thanks,
-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]