What is expected: exclude action on the never list?
Michael C Thompson
thompsmc at us.ibm.com
Tue May 30 20:45:26 UTC 2006
Hey Steve,
I'm doing some testing (a rare occurrence I know), and I've noticed that
when the active rules are:
auditctl -a entry,always -S chmod
auditctl -a exclude,always -F msgtype=SYSCALL
The chmod actions are not logged. Now this is what I would expect to
happen when just reading those lines, not knowing about the internal
workings of audit. However, if the rules are
auditctl -a entry,always -S chmod
auditctl -a exclude,never -F msgtype=SYSCALL
the chmod actions are not logged either. I would read the second rule as
saying "do not exclude messages of type SYSCALL". Is this a correct
interpretation of the rule?
Thanks,
Mike
More information about the Linux-audit
mailing list