auditctl usage for filter lists: "user" , "watch" and "exclude"
Michael C Thompson
thompsmc at us.ibm.com
Thu May 18 15:58:23 UTC 2006
Steve Grubb wrote:
> On Thursday 18 May 2006 10:59, Michael C Thompson wrote:
>> Question, is it intended for:
>> auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
>> and
>> auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
>>
>> (being active at different times) to both block the CONFIG_CHANGE
>> messages? I would assume that exclude,never to _not_ block messages of
>> that type?
>
> I can't see a reason to have both for the same msgtype. The first rule to
> match "wins" though, so the second rule would not apply.
True, but I didn't mean for you to interpret them as being active
together. Example:
auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
auditctl -a entry,always -S chmod -- no message logged
auditctl -D
auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
auditctl -a entry,always -S chmod -- no message logged
The 2nd no message logged doesn't make sense to me, as the exclude,never
is in fact causing the messages to not get logged.
Mike
More information about the Linux-audit
mailing list