From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: Double addition of rule yields two log messages
Date: Fri, 19 May 2006 14:06:29 -0400
Message-ID: <446E0925.1000400@hp.com>
References: <446DE295.8040503@us.ibm.com> <446DEF68.5050405@hp.com>
	<446E0323.4030905@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k4JI7Css006670
	for <linux-audit@redhat.com>; Fri, 19 May 2006 14:07:12 -0400
Received: from atlrel7.hp.com (atlrel7.hp.com [156.153.255.213])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k4JI73Np016180
	for <linux-audit@redhat.com>; Fri, 19 May 2006 14:07:03 -0400
In-Reply-To: <446E0323.4030905@us.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Michael C Thompson <thompsmc@us.ibm.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

>> I don't know what the "add rule to list=2" means though.
>  
> list=2 means that it was added to the entry list, now the
> CONFIG_CHANGE messages tell you which filter list it was added to. 
> 2 == entry, 5 == exclude, etc.

Wow, not very intuitive.  The auditctl manpage talks about lists
by name (entry, exclude, etc), not by number.  With the 1.2.1 tools
ausearch with the '-i' option doesn't translate the number into a name.
Does it with the 1.2.2 tools?

Speaking of ausearch, I just noticed that it emits this message:

# /sbin/ausearch -m CONFIG_CHANGE -i
Warning - freq is non-zero and incremental flushing not selected.

Not sure what that means.  Maybe its time I updated my tools.

-- ljk