Michael C Thompson wrote:
Michael C Thompson wrote:
Hey all,
I'm trying to understand better the user, watch and exclude auditctl
filter lists. I believe I have a reasonable understanding of exclude
from some examples Steve gave (see below), but I have very little idea
of how user is meant to be used, and none about watch.
Any enlightenment will be helpful.
For the exclude list,
exclude,always -F msgtype=SYSCALL
seems to be the only valid structure, where msgtype can be any value
(XXX) for the type in the audit.log? (where the 1st field in the audit
log is type=XXX)
Are there more filters that apply? (and does it have any meaning
without a filter?)
Question, is it intended for:
auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
and
auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
(being active at different times) to both block the CONFIG_CHANGE
messages? I would assume that exclude,never to _not_ block messages of
that type?
It also seems to be that:
auditctl -a exclude,always -F msgtype=CWD
auditctl -a exclude,always -F msgtype=PATH
and
auditctl -a exclude,always -F msgtype=CWD -F msgtype=PATH
do not work in the same way, in fact, "auditctl -a exclude,always -F
msgtype=CWD -F msgtype=PATH" does not remove either the CWD or the PATH
type from the message. Can the exclude list have only 1 msgtype per rule?
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
