Below is a patch which will cause auditctl to report that exclude,never is a meaningless rule construct. This patch was written as it was deemed that exclude,never does not make sense based on the man-pages, and that exclude,always and exclude,never are functionality equivalent. Thanks, Mike ---- Signed-off-by: Michael Thompson <mcthomps(a)us.ibm.com&gt; --- audit-1.2.3/src/auditctl.c 2006-05-18 16:24:20.000000000 -0500 +++ audit-1.2.3-patched/src/auditctl.c 2006-05-30 09:21:31.000000000 -0500 @@ -151,7 +151,10 @@ static int audit_rule_setup(const char * else return 2; if (strstr(opt, "never")) - *act = AUDIT_NEVER; + if (*flags & AUDIT_FILTER_EXCLUDE) + return 2; + else + *act = AUDIT_NEVER; else if (strstr(opt, "possible")) return 1; else if (strstr(opt, "always")) --- audit-1.2.3/docs/auditctl.8 2006-05-17 16:57:25.000000000 -0500 +++ audit-1.2.3-patched/docs/auditctl.8 2006-05-30 09:28:02.000000000 -0500 @@ -55,7 +55,7 @@ Add a rule to the syscall exit list. Thi Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, and pid. All other fields will be treated as non-matching. .TP .B exclude -Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. +Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. Note that only valid list/action pair for exclude is: exclude,always. .RE The following describes the valid actions for the rule: