On 05/24/2011 10:23 PM, Mr Dash Four wrote: > >> You are only excluding 'user' messages. I don't know the list of which >> msg types are 'user' messages off the top of my head, but it isn't that >> long. I don't believe that crond sends any other user messages (but it >> wouldn't be the first time I was wrong). You would still audit things >> like AVC denials for cron or or any syscall audit rules you have. >> Basically that is going to deny all audit messages that cron explicitly >> sent to the audit system, but not messages generated by the kernel for >> cron. >> > I can't really answer whether this is good or not then, as 1) my auditd > knowledge is still limited and 2) I do not really know what these "user > messages" actually cover (is there a definite list of these?). I would > like to disable the following types for sure: USER_ACCT, CRED_ACQ, > USER_START, CRED_DISP and USER_END. The list of 'user' messages can be found at: https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h The kernel will exclude based on my rule anything between AUDIT_FIRST_USER_MSG and AUDIT_LAST_USER_MSG. These are all messages that cron would have to explicitly create and send to the kernel audit subsystem. It's certainly possible to change the kernel (and then the audit userspace) to make it work like you wanted it, but we just don't have that code today. -Eric -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
