Re: auditctl usage for filter lists: "user" , "watch" and "exclude"
Steve Grubb wrote:
On Thursday 18 May 2006 11:41, Michael C Thompson wrote:
> It also seems to be that:
>
> auditctl -a exclude,always -F msgtype=CWD
> auditctl -a exclude,always -F msgtype=PATH
>
> and
>
> auditctl -a exclude,always -F msgtype=CWD -F msgtype=PATH
>
> do not work in the same way,
This is true. The ones on the same line form an "and" expression. The ones on
different lines form an "or" expression.
So then it should be safe to say that having two -F msgtype=... is an
invalid construct for a rule? Since messages have only 1 type?
Mike