Description of problem: This rule: auditctl -a exclude,always -F msgtype=PATH -F msgtype=CWD doesn't work as expected. msgtypes are anded by the kernel which means that instead of suppressing the message, they are output. It should be 1 rule, 1 msgtype to work correctly. Version-Release number of selected component (if applicable): 1.2.7 How reproducible: always Steps to Reproduce: 1. see above rule
This was fixed in audit-1.2.8. Thanks for reporting the problem.
# rpm -q audit audit-1.3.1-1.el5 # auditctl -a exclude,always -F msgtype=PATH -F msgtype=CWD Only one msgtype may be given per rule Is this the expected result?
Yes.
audit-1.3.1-1.el5 included in 20061218.1 trees.