Re: Excluding events by command
On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> my patch only allows for positive match, not negative matching. I
was
> afraid someone saying something like, '-a exit,always -S open -F
> exe!=/bin/bash' but I suppose like any audit rule, it could be a
> caveat emptor sort of thing.
>
> I'll modify that patch and resend it, but it doesn't help the current
> situation.
I was thinking something like
-a exit,never -S open -F exe=/bin/bash
Oh, that works too.
Do you think it's worth me fixing up the patch to allow !=?
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038