From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Excluding events by command
Date: Tue, 18 Sep 2012 14:40:28 -0400
Message-ID: <6158306.6ZgK6rRFrQ@x2>
References: <CAJA1D03WHEs45zR86TRZn3W5YH3fCsQfBu6EA+JtL129X7jX2w@mail.gmail.com>
	<2249732.seR61OZ2Dd@x2>
	<CALnj_=46sKKoZ4Uvf-8ZHYOyLG=bSzzK0J7eFOE7ELYW=uMZDg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CALnj_=46sKKoZ4Uvf-8ZHYOyLG=bSzzK0J7eFOE7ELYW=uMZDg@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Peter Moody <pmoody@google.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday, September 18, 2012 10:31:57 AM Peter Moody wrote:
> On Tue, Sep 18, 2012 at 10:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> >> my patch only allows for positive match, not negative matching. I was
> >> afraid someone saying something like, '-a exit,always -S open -F
> >> exe!=/bin/bash' but I suppose like any audit rule, it could be a
> >> caveat emptor sort of thing.
> >> 
> >> I'll modify that patch and resend it, but it doesn't help the current
> >> situation.
> > 
> > I was thinking something like
> > -a exit,never -S open -F exe=/bin/bash
> 
> Oh, that works too.
> 
> Do you think it's worth me fixing up the patch to allow !=?

No. The path and dir fields do not allow it. These should all be consistent.

Thanks,
-Steve