How to make audit match only one rule?
zhu xiuming
xiumingzhu at gmail.com
Mon Jul 29 18:38:15 UTC 2013
HI
I have two rules in my audit rules
-a always,exit -F arch=b32 -S execve -k EXEC_LOG
-w /etc/passwd -p wra -k identity
When I enter
cat /etc/passwd on the console
Both rules are matched and there is redundant information in the log. How
to make sure there is only one rule matched.
Thanks a lot.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130729/b5652a18/attachment.htm>
More information about the Linux-audit
mailing list