Re: Double addition of rule yields two log messages
> I don't know what the "add rule to list=2" means
though.
list=2 means that it was added to the entry list, now the
CONFIG_CHANGE messages tell you which filter list it was added to.
2 == entry, 5 == exclude, etc.
Wow, not very intuitive. The auditctl manpage talks about lists
by name (entry, exclude, etc), not by number. With the 1.2.1 tools
ausearch with the '-i' option doesn't translate the number into a name.
Does it with the 1.2.2 tools?
Speaking of ausearch, I just noticed that it emits this message:
# /sbin/ausearch -m CONFIG_CHANGE -i
Warning - freq is non-zero and incremental flushing not selected.
Not sure what that means. Maybe its time I updated my tools.
-- ljk