The exclude filter defaults to "never", ignoring the action. Make a note of that to clarify the sense and intent of the filter.
Signed-off-by: Richard Guy Briggs <[email protected]> --- docs/audit.rules.7 | 2 +- docs/audit_add_rule_data.3 | 2 +- docs/auditctl.8 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/audit.rules.7 b/docs/audit.rules.7 index 192d42f..042c7dc 100644 --- a/docs/audit.rules.7 +++ b/docs/audit.rules.7 @@ -40,7 +40,7 @@ The exit filter is the place where all syscall and file system audit requests ar The user filter is used to filter (remove) some events that originate in user space. By default, any event originating in user space is allowed. So, if there are some events that you do not want to see, then this is a place where some can be removed. See auditctl(8) for fields that are valid. -The exclude filter is used to exclude certain events from being emitted. The msgtype field is used to tell the kernel which message types you do not want to record. This filter can remove the event as a whole and is not selective about any other attribute. The user and exit filters are better suited to selectively auditing events. +The exclude filter is used to exclude certain events from being emitted. The msgtype and a number of subject attribute fields can be used to tell the kernel which message types you do not want to record. This filter can remove the event as a whole and is not selective about any other attribute. The user and exit filters are better suited to selectively auditing events. The action is ignored for this filter, defaulting to "never". Syscall rules take the general form of: diff --git a/docs/audit_add_rule_data.3 b/docs/audit_add_rule_data.3 index a0802c0..3e9039d 100644 --- a/docs/audit_add_rule_data.3 +++ b/docs/audit_add_rule_data.3 @@ -21,7 +21,7 @@ AUDIT_FILTER_TASK - Apply rule at task creation (not syscall). This is the task AUDIT_FILTER_EXIT - Apply rule at syscall exit. This is the main filter that is used for syscalls and filesystem watches. Normally all syscall do not trigger events, so this is normally used to specify events that are of interest. .TP \(bu -AUDIT_FILTER_TYPE - Apply rule at audit_log_start. This is the exclude filter which discards any records that match. +AUDIT_FILTER_TYPE - Apply rule at audit_log_start. This is the exclude filter which discards any records that match. The action type is ignored for this filter, defaulting to "never". .LP .PP diff --git a/docs/auditctl.8 b/docs/auditctl.8 index 05e389e..88466de 100644 --- a/docs/auditctl.8 +++ b/docs/auditctl.8 @@ -81,7 +81,7 @@ Add a rule to the syscall exit list. This list is used upon exit from a system c Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded. .TP .B exclude -Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type or subject context +Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. Events can be excluded by process ID, user ID, group ID, login user ID, message type or subject context. The action is ignored and uses its default of "never". .RE The following describes the valid \fIactions\fP for the rule: -- 1.7.1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
