> You are only excluding 'user' messages. I don't know the list of which > msg types are 'user' messages off the top of my head, but it isn't that > long. I don't believe that crond sends any other user messages (but it > wouldn't be the first time I was wrong). You would still audit things > like AVC denials for cron or or any syscall audit rules you have. > Basically that is going to deny all audit messages that cron explicitly > sent to the audit system, but not messages generated by the kernel for cron. > I can't really answer whether this is good or not then, as 1) my auditd knowledge is still limited and 2) I do not really know what these "user messages" actually cover (is there a definite list of these?). I would like to disable the following types for sure: USER_ACCT, CRED_ACQ, USER_START, CRED_DISP and USER_END. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
