From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditctl usage for filter lists: "user" , "watch" and "exclude"
Date: Thu, 18 May 2006 12:13:07 -0400
Message-ID: <200605181213.07697.sgrubb@redhat.com>
References: <446C8915.20606@us.ibm.com> <200605181155.15157.sgrubb@redhat.com>
	<446C999F.2010306@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <446C999F.2010306@us.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Michael C Thompson <thompsmc@us.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 18 May 2006 11:58, Michael C Thompson wrote:
> True, but I didn't mean for you to interpret them as being active
> together. Example:
>
> auditctl -a exclude,always -F msgtype=CONFIG_CHANGE
> auditctl -a entry,always -S chmod -- no message logged
>
> auditctl -D
>
> auditctl -a exclude,never -F msgtype=CONFIG_CHANGE
> auditctl -a entry,always -S chmod -- no message logged

> The 2nd no message logged doesn't make sense to me, as the exclude,never
> is in fact causing the messages to not get logged.

Looking at the kernel code...I don't think it takes the action into account. 
If you have exclude list and msgtype matches, it gets excluded.

-Steve