excluding auditd events
Mr Dash Four
mr.dash.four at googlemail.com
Tue May 24 16:45:47 UTC 2011
> I think no, the man page is not so clear IMHO but the error message
> is, and i also read the code (sure i could be wrong) . BTW, you can
> add on the top of the audit rule that exclude ALL the USER_ACCT
That's an overkill and completely unsuitable in what I am trying to do -
I need more fine-grained match. I can't just disable *all* auditing on
USER_ACCT-type messages - this would open the door to possible
intrusions, which I won't be able to see if I disable all USER_ACCT-type
messages. Not a chance of that ever happening!
> -A exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k open
>
I don't yet know what type of syscalls (if any) there could be. Besides,
there is nowhere I could find a fairly complete list of those. I have
email to see if I could get on the audit list and ask somebody there for
advice as I am still in denial that I couldn't enable more fine-grained
filter on this.
More information about the selinux
mailing list