Hi, On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgr...@redhat.com> wrote: > > On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote: > > Why is it being logged, given that it matches the second (and last) rule I > > have? > > These two events are considered kernel configuration changes. Which means that > they do not originate via the SYSCALL rule engine. The -a never,exit > technique works only when the event is generated as a result of other SYSCALL > rules. Normally you would place that higher up so it matches first. > > In this case, what you would want to do is suppress it using the exclude > filter: > > -a always,exclude -F msgtype=NETFILTER_CFG > > That should fix it.
I see, and I can still add auid=-1 to that one, right? Just not the exe filter? -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
