Hi,
On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote:
> Why is it being logged, given that it matches the second (and last) rule I
> have?
These two events are considered kernel configuration changes. Which means that
they do not originate via the SYSCALL rule engine. The -a never,exit
technique works only when the event is generated as a result of other SYSCALL
rules. Normally you would place that higher up so it matches first.
In this case, what you would want to do is suppress it using the exclude
filter:
-a always,exclude -F msgtype=NETFILTER_CFG
That should fix it.
I see, and I can still add auid=-1 to that one, right? Just not the exe filter?