auditctl usage for filter lists: "user" , "watch" and "exclude"
Michael C Thompson
thompsmc at us.ibm.com
Thu May 18 16:04:37 UTC 2006
Steve Grubb wrote:
> On Thursday 18 May 2006 11:41, Michael C Thompson wrote:
>> It also seems to be that:
>>
>> auditctl -a exclude,always -F msgtype=CWD
>> auditctl -a exclude,always -F msgtype=PATH
>>
>> and
>>
>> auditctl -a exclude,always -F msgtype=CWD -F msgtype=PATH
>>
>> do not work in the same way,
>
> This is true. The ones on the same line form an "and" expression. The ones on
> different lines form an "or" expression.
So then it should be safe to say that having two -F msgtype=... is an
invalid construct for a rule? Since messages have only 1 type?
Mike
More information about the Linux-audit
mailing list