Re: crond
On Wednesday 07 January 2009 04:24:27 pm Starr-Renee Corbin wrote:
Is there a way to run an auditctl command that will do both of the
above?
Not at this point. If the user filter in the kernel allowed type to be used,
you might stand a chance. But then there is no way to filter on cron being
the source in the kernel.
User space originating audit events are sent as a string to the kernel. The
kernel does not parse strings and won't match against it.
-Steve