On Fri, May 20, 2011 at 5:14 PM, Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> wrote:
I am having difficulty in trying to exclude a certain type of messages
for certain SELinux types being reported to the auditd daemon.
In particular, I would like to exclude the following from being reported
(and thus filling up my audit logs unnecessarily):
msgtype={USER_ACCT|CRED_ACQ|USER_START|CRED_DISP|USER_END}
obj_type=crond_t
success=0
When I try to add this as a rule with "auditctl -A exclude,never -F
msgtype=USER_ACCT -F obj_type=crond_t -F success=0" I get "Only msgtype
field can be used with exclude filter" which is a bit daft as I wish to
exclude USER_ACCT message type from being reported *only* for the
"crond_t" SELinux type. Is there any way I can do this?
I think no, the man page is not so clear IMHO but the error message is, and i also read the code (sure i could be wrong) . BTW, you can add on the top of the audit rule that exclude ALL the USER_ACCT
auditctl -A exclude,never -Fmsgtype=USER_ACCT
If it was something related to a syscal should be possible to write
something instead as this
Regards
auditctl -A exclude,never -Fmsgtype=USER_ACCT
If it was something related to a syscal should be possible to write
something instead as this
-A exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k open
Regards
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
