From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Richard Young" Subject: Excluding selected CRYPTO_KEY_USER events Date: Sat, 9 Jan 2016 10:26:06 -0600 Message-ID: <201601091626.u09GQVCl006045@d01av01.pok.ibm.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7551448458625577035==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u09GQZKW031873 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 9 Jan 2016 11:26:36 -0500 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx1.redhat.com (Postfix) with ESMTPS id 5D15B935D8 for ; Sat, 9 Jan 2016 16:26:35 +0000 (UTC) Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 9 Jan 2016 09:26:34 -0700 Received: from b01cxnp23032.gho.pok.ibm.com (b01cxnp23032.gho.pok.ibm.com [9.57.198.27]) by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 91D6C1FF0021 for ; Sat, 9 Jan 2016 09:14:42 -0700 (MST) Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by b01cxnp23032.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u09GQVZs29032598 for ; Sat, 9 Jan 2016 16:26:31 GMT Received: from d01av01.pok.ibm.com (localhost [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u09GQVka006059 for ; Sat, 9 Jan 2016 11:26:31 -0500 Received: from d50lp02.ny.us.ibm.com (d50lp02.pok.ibm.com [146.89.104.208]) by d01av01.pok.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id u09GQVCl006045 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sat, 9 Jan 2016 11:26:31 -0500 Received: from /spool/local by d50lp02.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 9 Jan 2016 11:26:31 -0500 Received: from /spool/local by smtp.notes.na.collabserv.com with smtp.notes.na.collabserv.com ESMTP for from ; Sat, 9 Jan 2016 16:26:28 -0000 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============7551448458625577035== Content-type: multipart/alternative; Boundary="0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A" Content-Disposition: inline --0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A Content-Transfer-Encoding: quoted-printable Content-type: text/plain; charset=US-ASCII I know I could exclude all msgtype CRYPTO=5FKEY=5FUSER audit events, but wo= uld like to exclude just specific ones. I would like to exclude ones for a specific UID, hostname, or IP. There are many example of how to exclude specific files, directory events, or syscall events. Can somebody suggest a way to suppress specific CRYPTO=5FKEY=5FUSER events = by UID, hostname, or IP? --0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A Content-Transfer-Encoding: quoted-printable Content-type: text/html; charset=US-ASCII Content-Disposition: inline

I know I could exclude all msgtype CRYPTO=5FKEY=5FUSER audit= events, but would like to exclude just specific ones.
I would like to e= xclude ones for a specific UID, hostname, or IP.

There are many exam= ple of how to exclude specific files, directory events, or syscall events.<= br>
Can somebody suggest a way to suppress specific CRYPTO=5FKEY=5FUSER = events by UID, hostname, or IP?

=

--0__=09BBF5A6DFCB436A8f9e8a93df938690918c09BBF5A6DFCB436A-- --===============7551448458625577035== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7551448458625577035==--