On Friday 25 August 2006 18:04, Michael C Thompson wrote: > So if I have the following two rules, what should be expected behaviour? > > auditctl -a entry,always -S chmod > auditctl -a exclude,always -S all The expected behavior is that rule 1 is accepted and rule 2 produces an error and is rejected. -Steve