exclude filter action ignored?

Hi Steve, Can you confirm that the exclude filter action parameter is ignored? I can't find any evidence in the kernel or in userspace that the action value is actually honoured. In fact, looking at the manpage for auditctl(8), the wording of the action contradicts the intuitive meaning of that filter name. And as a matter of fact, I find discussion of it here: https://www.redhat.com/archives/linux-audit/2005-October/msg00020.html In auditctl, setopt() calls audit_rule_setup() which calls lookup_filter() and lookup_action(), then calls audit_rule_fieldpair_data() none of which check when parsing the AUDIT_MSGTYPE field. During rule addition, in kernel/auditfilter.c:audit_rule_change() and callees AUDIT_FILTER_TYPE is never checked for either action but simply copied. When called from audit_log_start() in kernel/auditfilter.c:audit_filter_type(), the state is never checked, so either AUDIT_NEVER or AUDIT_ALWAYS actions gives the same result which is to ignore that message type. - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635