On Thursday 18 May 2006 10:47, Michael C Thompson wrote: > but I have very little idea f how user is meant to be used, and none about > watch.
First, watch doesn't exist. I deleted it from the man pages yesterday. User is used to filter userspace originating audit messages. For example, you can use passwd and a message can be generated saying that a users password has been changed. You can filter those events so that they do not hit the audit logs. auditctl -a user,always -F uid=500 > For the exclude list, > > exclude,always -F msgtype=SYSCALL > > seems to be the only valid structure, where msgtype can be any value > (XXX) for the type in the audit.log? (where the 1st field in the audit > log is type=XXX) Yes. But note that you can also do things like this: -a exclude,always -F 'msgtype>=DAEMON_START' -F 'msgtype<=DAEMON_ROTATE' to take out a whole range of message types. > Are there more filters that apply? (and does it have any meaning without > a filter?) No -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
