[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selective Audit; filtering on message type; integration of operators



On Monday 03 October 2005 14:25, Debora Velarde wrote:
> We can currently select to never audit with the use of the action 'never'.
>  Such as "auditctl -a exit,never -F pid=464"
> If we add an 'exclude' list then it seems like we would no longer need the
> 'never' action.

Never means do not create the context and do not collect any information.

Exclude means do not send this message type even though all the info was 
collected.

For example, we may not want to see LSPP messages in a CAPP environment. So, 
we could tell it to exclude those messages. Where something on the never list 
will not even trigger fs watches.

They are different.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]