Re: -a never,exit still being logged

Hi, On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote: > > Why is it being logged, given that it matches the second (and last) > > rule I > > have? > > These two events are considered kernel configuration changes. Which means > that they do not originate via the SYSCALL rule engine. The -a > never,exit technique works only when the event is generated as a result > of other SYSCALL rules. Normally you would place that higher up so it > matches first. > > In this case, what you would want to do is suppress it using the exclude > filter: > > -a always,exclude -F msgtype=NETFILTER_CFG > > That should fix it. I see, and I can still add auid=-1 to that one, right? Just not the exe filter?