How to make audit match only one rule?
HI
I have two rules in my audit rules
-a always,exit -F arch=b32 -S execve -k EXEC_LOG
-w /etc/passwd -p wra -k identity
When I enter
cat /etc/passwd on the console
Both rules are matched and there is redundant information in the log. How
to make sure there is only one rule matched.
Thanks a lot.
Attachments:
- attachment.html (text/html — 484 bytes)