Fwd: Re: Fw: Audit records for start/stop auditd

[David Woodhouse]

On Fri, 2005-04-08 at 12:10 -0500, Klaus Weidner wrote:
> Sending SIGKILL auditd needs administrator privileges, and for CAPP we
> can assume/require them not to do that.
> 
> The pam_close_session record isn't required by CAPP, we had a discussion
> about session end records some time ago. It's generally less reliable
> than the start record anyway since the session close record doesn't mean
> that all processes launched by that user have terminated; some may have
> been backgrounded.

One answer to this might be to assign a unique 'session id' cookie at
login time, then store and log it with the loginuid at all times. 

Going back to the issue of auditd shutdown, however -- are we satisfied
with merely generating records when the audit_pid is signalled, or
should I revert that patch while we seek a better solution?

-- 
dwmw2