On Thursday 18 May 2006 10:59, Michael C Thompson wrote: > Question, is it intended for: > auditctl -a exclude,always -F msgtype=CONFIG_CHANGE > and > auditctl -a exclude,never -F msgtype=CONFIG_CHANGE > > (being active at different times) to both block the CONFIG_CHANGE > messages? I would assume that exclude,never to _not_ block messages of > that type?
I can't see a reason to have both for the same msgtype. The first rule to match "wins" though, so the second rule would not apply. I can see that you may want to do something like this: -a exclude,never -F msgtype=DAEMON_END -a exclude,always -F 'msgtype>=DAEMON_START' -F 'msgtype<=DAEMON_ROTATE' Together, this means exclude all messages in the DAEMON_* range except the DAEMON_END message. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
