Re: auditctl usage for filter lists: "user" , "watch" and "exclude"

Michael C Thompson wrote: > Hey all, > > I'm trying to understand better the user, watch and exclude auditctl > filter lists. I believe I have a reasonable understanding of exclude > from some examples Steve gave (see below), but I have very little idea > of how user is meant to be used, and none about watch. > > Any enlightenment will be helpful. > > For the exclude list, > > exclude,always -F msgtype=SYSCALL > > seems to be the only valid structure, where msgtype can be any value > (XXX) for the type in the audit.log? (where the 1st field in the audit > log is type=XXX) > > Are there more filters that apply? (and does it have any meaning > without a filter?) Question, is it intended for: auditctl -a exclude,always -F msgtype=CONFIG_CHANGE and auditctl -a exclude,never -F msgtype=CONFIG_CHANGE (being active at different times) to both block the CONFIG_CHANGE messages? I would assume that exclude,never to _not_ block messages of that type?