Multiple Rule Logic

Tuesday, 16 May 2006

Hey Steve,

I was wondering what is to be expected when multiple rules exist that 
pertain to the same action.

Examples:
entry,always -S chmod   - should see a record for chmod
exclude,always -S all   - should never see any sys calls

Combined, should I expect a chmod record?

 From my experiments with the current code, if any one rule instructs 
audit to log the action, auditd will log it (i.e. I'll see a chmod 
record). I'm wondering if this is the intended functionality.

Thanks,
Mike

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Multiple Rule Logic