Red Hat Bugzilla – Bug 207666
[LSPP Audit] auditctl doesn't reject exclude rules with multiple msgtypes
Last modified: 2007-11-30 17:07:34 EST
Description of problem:
auditctl -a exclude,always -F msgtype=PATH -F msgtype=CWD
doesn't work as expected. msgtypes are anded by the kernel which means that
instead of suppressing the message, they are output. It should be 1 rule, 1
msgtype to work correctly.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. see above rule
This was fixed in audit-1.2.8. Thanks for reporting the problem.
# rpm -q audit
# auditctl -a exclude,always -F msgtype=PATH -F msgtype=CWD
Only one msgtype may be given per rule
Is this the expected result?
audit-1.3.1-1.el5 included in 20061218.1 trees.