> The list of 'user' messages can be found at: > > https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h > > The kernel will exclude based on my rule anything between > AUDIT_FIRST_USER_MSG and AUDIT_LAST_USER_MSG. > Thanks for that pointer - certainly clears things up a bit. > These are all messages that cron would have to explicitly create and > send to the kernel audit subsystem. > > It's certainly possible to change the kernel (and then the audit > userspace) to make it work like you wanted it, but we just don't have > that code today. > This is what I have been wondering - was there some sort of (programming or policy) restrictions which led to this or was it just a case of nobody-thought-of-this-before sort of thing? If it is the latter, then it would be easier to change things as if what I need is implemented, it would provide a great deal of flexibility, not to mention the fact that it would make systems less vulnerable. With the new filters, messages won't pass unnoticed - there is a potential for doing so in the current implementations. Thanks for you input yet again, Eric. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
