From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: What is expected: exclude action on the never list?
Date: Tue, 30 May 2006 17:17:31 -0400
Message-ID: <447CB66B.20005@hp.com>
References: <447CAEE6.1030501@us.ibm.com>
	<200605301712.50107.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200605301712.50107.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Steve Grubb wrote:
> On Tuesday 30 May 2006 16:45, Michael C Thompson wrote:
> 
>>I would read the second rule as saying "do not exclude messages of type
>>SYSCALL". Is this a correct interpretation of the rule?
> 
> 
> That sounds reasonable, but I don't think that's what the kernel does. Maybe 
> it should be corrected. I think its a 1 or 2 liner.

According to the manpage, I'd say the kernel is behaving as expected.

"Never" means never generate an audit record and "exclude" means even if
one was generated, it should be excluded.  The two options together are
somewhat redundant but I don't think "never" was intended to mean "never
do what the previous option just said to do", at least not according to
the manpage.

-- ljk