Hey Steve,
I was wondering what is to be expected when multiple rules exist that
pertain to the same action.
Examples:
entry,always -S chmod - should see a record for chmod
exclude,always -S all - should never see any sys calls
Combined, should I expect a chmod record?
From my experiments with the current code, if any one rule instructs
audit to log the action, auditd will log it (i.e. I'll see a chmod
record). I'm wondering if this is the intended functionality.
Thanks,
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
