auditctl usage for filter lists: "user" , "watch" and "exclude"
Michael C Thompson
thompsmc at us.ibm.com
Thu May 18 19:01:55 UTC 2006
Steve Grubb wrote:
> On Thursday 18 May 2006 12:04, Michael C Thompson wrote:
>> So then it should be safe to say that having two -F msgtype=... is an
>> invalid construct for a rule? Since messages have only 1 type?
>
> Only if they are using the '=' operator. Other operators might be valid to
> have multiple -F msgtype.
Ah yes, good point. I'll be sure to properly test the relational
operators. Other than the source code, is there any place for a user to
go and get the message types to determine their ordering?
Mike
More information about the Linux-audit
mailing list