From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: crond
Date: Wed, 07 Jan 2009 17:59:35 -0500
Message-ID: <1231369175.31089.74.camel@localhost.localdomain>
References: <2B0B840A-94CA-4D42-92B9-34BD537185DB@arlut.utexas.edu>
	<200901071722.41310.sgrubb@redhat.com>
	<1231368014.31089.68.camel@localhost.localdomain>
	<200901071752.17502.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200901071752.17502.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, 2009-01-07 at 17:52 -0500, Steve Grubb wrote:
> On Wednesday 07 January 2009 05:40:14 pm Eric Paris wrote:
> > in man auditctl you talk about the "exclude" list.
> 
> Yes, I thought about that, too. This is what you have to work with:
> 
> type=USER_START msg=audit(1231365661.252:161): user pid=4681 uid=0 auid=0 
> ses=14 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
> 
> This part is a string and cannot be matched against:
> msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, 
> addr=?, terminal=cron res=success)'
> 
> If the type filter allows matching by selinux context, then you might be able 
> to say:

of course not, it allows matching only on type.

I can push type matching down into the user filter though (that was my
original thought)

I'll try to remember to poke it tomorrow.....

-Eric