Hey Steve,
I'm doing some testing (a rare occurrence I know), and I've noticed that
when the active rules are:
auditctl -a entry,always -S chmod
auditctl -a exclude,always -F msgtype=SYSCALL
The chmod actions are not logged. Now this is what I would expect to
happen when just reading those lines, not knowing about the internal
workings of audit. However, if the rules are
auditctl -a entry,always -S chmod
auditctl -a exclude,never -F msgtype=SYSCALL
the chmod actions are not logged either. I would read the second rule as
saying "do not exclude messages of type SYSCALL". Is this a correct
interpretation of the rule?
Thanks,
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
