Steve Grubb wrote:
On Thursday 18 May 2006 10:59, Michael C Thompson wrote:
Question, is it intended for:
auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
and
auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
(being active at different times) to both block the CONFIG_CHANGE
messages? I would assume that exclude,never to _not_ block messages of
that type?
I can't see a reason to have both for the same msgtype. The first rule to
match "wins" though, so the second rule would not apply.
True, but I didn't mean for you to interpret them as being active
together. Example:
auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
auditctl -a entry,always -S chmod -- no message logged
auditctl -D
auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
auditctl -a entry,always -S chmod -- no message logged
The 2nd no message logged doesn't make sense to me, as the exclude,never
is in fact causing the messages to not get logged.
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
