excluding auditd events
Eric Paris
eparis at redhat.com
Wed May 25 01:52:43 UTC 2011
On 05/24/2011 12:45 PM, Mr Dash Four wrote:
>
>> I think no, the man page is not so clear IMHO but the error message
>> is, and i also read the code (sure i could be wrong) . BTW, you can
>> add on the top of the audit rule that exclude ALL the USER_ACCT
> That's an overkill and completely unsuitable in what I am trying to do -
> I need more fine-grained match. I can't just disable *all* auditing on
> USER_ACCT-type messages - this would open the door to possible
> intrusions, which I won't be able to see if I disable all USER_ACCT-type
> messages. Not a chance of that ever happening!
>
>> -A exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k open
>>
> I don't yet know what type of syscalls (if any) there could be. Besides,
> there is nowhere I could find a fairly complete list of those. I have
> email to see if I could get on the audit list and ask somebody there for
> advice as I am still in denial that I couldn't enable more fine-grained
> filter on this.
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
How about a rule like:
auditctl -a user,never -F subj_type=crond_t
More information about the selinux
mailing list