Re: crond
On Wednesday 07 January 2009 05:40:14 pm Eric Paris wrote:
in man auditctl you talk about the "exclude" list.
Yes, I thought about that, too. This is what you have to work with:
type=USER_START msg=audit(1231365661.252:161): user pid=4681 uid=0 auid=0
ses=14 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
This part is a string and cannot be matched against:
msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond"
(hostname=?,
addr=?, terminal=cron res=success)'
If the type filter allows matching by selinux context, then you might be able
to say:
-a always,exclude -F msgtype=USER_START -F auid=0 -F subj_type=crond_t
-Steve