auditctl usage for filter lists: "user" , "watch" and "exclude"
Steve Grubb
sgrubb at redhat.com
Thu May 18 15:55:15 UTC 2006
On Thursday 18 May 2006 10:59, Michael C Thompson wrote:
> Question, is it intended for:
> auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
> and
> auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
>
> (being active at different times) to both block the CONFIG_CHANGE
> messages? I would assume that exclude,never to _not_ block messages of
> that type?
I can't see a reason to have both for the same msgtype. The first rule to
match "wins" though, so the second rule would not apply. I can see that you
may want to do something like this:
-a exclude,never -F msgtype=DAEMON_END
-a exclude,always -F 'msgtype>=DAEMON_START' -F 'msgtype<=DAEMON_ROTATE'
Together, this means exclude all messages in the DAEMON_* range except the
DAEMON_END message.
-Steve
More information about the Linux-audit
mailing list