On Thursday 18 May 2006 11:58, Michael C Thompson wrote: > True, but I didn't mean for you to interpret them as being active > together. Example: > > auditctl -a exclude,always -F msgtype=CONFIG_CHANGE > auditctl -a entry,always -S chmod -- no message logged > > auditctl -D > > auditctl -a exclude,never -F msgtype=CONFIG_CHANGE > auditctl -a entry,always -S chmod -- no message logged
> The 2nd no message logged doesn't make sense to me, as the exclude,never > is in fact causing the messages to not get logged. Looking at the kernel code...I don't think it takes the action into account. If you have exclude list and msgtype matches, it gets excluded. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
