On Thursday, November 19, 2020 1:59:58 PM EST Andreas Hasenack wrote: > Hi, > > On Thu, Nov 19, 2020 at 3:52 PM Steve Grubb <sgr...@redhat.com> wrote: > > On Thursday, November 19, 2020 1:43:34 PM EST Andreas Hasenack wrote: > > > Why is it being logged, given that it matches the second (and last) > > > rule I > > > have? > > > > These two events are considered kernel configuration changes. Which means > > that they do not originate via the SYSCALL rule engine. The -a > > never,exit technique works only when the event is generated as a result > > of other SYSCALL rules. Normally you would place that higher up so it > > matches first. > > > > In this case, what you would want to do is suppress it using the exclude > > filter: > > > > -a always,exclude -F msgtype=NETFILTER_CFG > > > > That should fix it. > > I see, and I can still add auid=-1 to that one, right? Just not the exe > filter?
You can add the -F auid=-1 if you want to. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
