Selective Audit; filtering on message type; integration of operators
Steve Grubb
sgrubb at redhat.com
Mon Oct 3 18:47:14 UTC 2005
On Monday 03 October 2005 14:25, Debora Velarde wrote:
> We can currently select to never audit with the use of the action 'never'.
> Such as "auditctl -a exit,never -F pid=464"
> If we add an 'exclude' list then it seems like we would no longer need the
> 'never' action.
Never means do not create the context and do not collect any information.
Exclude means do not send this message type even though all the info was
collected.
For example, we may not want to see LSPP messages in a CAPP environment. So,
we could tell it to exclude those messages. Where something on the never list
will not even trigger fs watches.
They are different.
-Steve
More information about the Linux-audit
mailing list