Double addition of rule yields two log messages
Linda Knippers
linda.knippers at hp.com
Fri May 19 18:06:29 UTC 2006
>> I don't know what the "add rule to list=2" means though.
>
> list=2 means that it was added to the entry list, now the
> CONFIG_CHANGE messages tell you which filter list it was added to.
> 2 == entry, 5 == exclude, etc.
Wow, not very intuitive. The auditctl manpage talks about lists
by name (entry, exclude, etc), not by number. With the 1.2.1 tools
ausearch with the '-i' option doesn't translate the number into a name.
Does it with the 1.2.2 tools?
Speaking of ausearch, I just noticed that it emits this message:
# /sbin/ausearch -m CONFIG_CHANGE -i
Warning - freq is non-zero and incremental flushing not selected.
Not sure what that means. Maybe its time I updated my tools.
-- ljk
More information about the Linux-audit
mailing list