auditctl usage for filter lists: "user" , "watch" and "exclude"
Steve Grubb
sgrubb at redhat.com
Thu May 18 16:13:07 UTC 2006
On Thursday 18 May 2006 11:58, Michael C Thompson wrote:
> True, but I didn't mean for you to interpret them as being active
> together. Example:
>
> auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
> auditctl -a entry,always -S chmod -- no message logged
>
> auditctl -D
>
> auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
> auditctl -a entry,always -S chmod -- no message logged
> The 2nd no message logged doesn't make sense to me, as the exclude,never
> is in fact causing the messages to not get logged.
Looking at the kernel code...I don't think it takes the action into account.
If you have exclude list and msgtype matches, it gets excluded.
-Steve
More information about the Linux-audit
mailing list