Steve Grubb wrote:
On Thursday 18 May 2006 11:41, Michael C Thompson wrote:
It also seems to be that:
auditctl -a exclude,always -F msgtype=CWD
auditctl -a exclude,always -F msgtype=PATH
and
auditctl -a exclude,always -F msgtype=CWD -F msgtype=PATH
do not work in the same way,
This is true. The ones on the same line form an "and" expression. The ones on
different lines form an "or" expression.
So then it should be safe to say that having two -F msgtype=... is an
invalid construct for a rule? Since messages have only 1 type?
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
