excluding auditd events
Mr Dash Four
mr.dash.four at googlemail.com
Wed May 25 02:23:40 UTC 2011
> You are only excluding 'user' messages. I don't know the list of which
> msg types are 'user' messages off the top of my head, but it isn't that
> long. I don't believe that crond sends any other user messages (but it
> wouldn't be the first time I was wrong). You would still audit things
> like AVC denials for cron or or any syscall audit rules you have.
> Basically that is going to deny all audit messages that cron explicitly
> sent to the audit system, but not messages generated by the kernel for cron.
>
I can't really answer whether this is good or not then, as 1) my auditd
knowledge is still limited and 2) I do not really know what these "user
messages" actually cover (is there a definite list of these?). I would
like to disable the following types for sure: USER_ACCT, CRED_ACQ,
USER_START, CRED_DISP and USER_END.
More information about the selinux
mailing list