Re: auditctl usage for filter lists: "user" , "watch" and "exclude"
On Thursday 18 May 2006 11:58, Michael C Thompson wrote:
True, but I didn't mean for you to interpret them as being
active
together. Example:
auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
auditctl -a entry,always -S chmod -- no message logged
auditctl -D
auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
auditctl -a entry,always -S chmod -- no message logged
The 2nd no message logged doesn't make sense to me, as the
exclude,never
is in fact causing the messages to not get logged.
Looking at the kernel code...I don't think it takes the action into account.
If you have exclude list and msgtype matches, it gets excluded.
-Steve