auditctl usage for filter lists: "user" , "watch" and "exclude"
Steve Grubb
sgrubb at redhat.com
Thu May 18 15:58:43 UTC 2006
On Thursday 18 May 2006 11:41, Michael C Thompson wrote:
> It also seems to be that:
>
> auditctl -a exclude,always -F msgtype=CWD
> auditctl -a exclude,always -F msgtype=PATH
>
> and
>
> auditctl -a exclude,always -F msgtype=CWD -F msgtype=PATH
>
> do not work in the same way,
This is true. The ones on the same line form an "and" expression. The ones on
different lines form an "or" expression.
-Steve
More information about the Linux-audit
mailing list