>> I don't know what the "add rule to list=2" means though. > > list=2 means that it was added to the entry list, now the > CONFIG_CHANGE messages tell you which filter list it was added to. > 2 == entry, 5 == exclude, etc.
Wow, not very intuitive. The auditctl manpage talks about lists by name (entry, exclude, etc), not by number. With the 1.2.1 tools ausearch with the '-i' option doesn't translate the number into a name. Does it with the 1.2.2 tools? Speaking of ausearch, I just noticed that it emits this message: # /sbin/ausearch -m CONFIG_CHANGE -i Warning - freq is non-zero and incremental flushing not selected. Not sure what that means. Maybe its time I updated my tools. -- ljk -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
