From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: Multiple Rule Logic
Date: Tue, 16 May 2006 15:13:32 -0500
Message-ID: <446A326C.1070600@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4GKDpxU025736
	for <linux-audit@redhat.com>; Tue, 16 May 2006 16:13:51 -0400
Received: from e2.ny.us.ibm.com (e2.ny.us.ibm.com [32.97.182.142])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4GKDnkT005488
	for <linux-audit@redhat.com>; Tue, 16 May 2006 16:13:49 -0400
Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236])
	by e2.ny.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4GKDiHX008464
	for <linux-audit@redhat.com>; Tue, 16 May 2006 16:13:44 -0400
Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64])
	by d01relay04.pok.ibm.com (8.12.10/NCO/VER6.8) with ESMTP id
	k4GKDi5B240148
	for <linux-audit@redhat.com>; Tue, 16 May 2006 16:13:44 -0400
Received: from d01av04.pok.ibm.com (loopback [127.0.0.1])
	by d01av04.pok.ibm.com (8.12.11/8.13.3) with ESMTP id k4GKDili030702
	for <linux-audit@redhat.com>; Tue, 16 May 2006 16:13:44 -0400
Received: from [127.0.0.1] (pendarric.austin.ibm.com [9.41.46.77])
	by d01av04.pok.ibm.com (8.12.11/8.12.11) with ESMTP id k4GKDhAk030607
	for <linux-audit@redhat.com>; Tue, 16 May 2006 16:13:43 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hey Steve,

I was wondering what is to be expected when multiple rules exist that 
pertain to the same action.

Examples:
entry,always -S chmod   - should see a record for chmod
exclude,always -S all   - should never see any sys calls

Combined, should I expect a chmod record?

 From my experiments with the current code, if any one rule instructs 
audit to log the action, auditd will log it (i.e. I'll see a chmod 
record). I'm wondering if this is the intended functionality.

Thanks,
Mike