> How about a rule like: > > auditctl -a user,never -F subj_type=crond_t > Not very helpful, I am afraid - crond_t could "misbehave" in different ways, hence why I also need to limit by message type as well as a bare minimum. Is this something which is restricted by the kernel or the daemon?