Fwd: Re: Fw: Audit records for start/stop auditd
David Woodhouse
dwmw2 at infradead.org
Fri Apr 29 18:58:53 UTC 2005
On Fri, 2005-04-08 at 18:12 -0400, Steve Grubb wrote:
> On Friday 08 April 2005 17:11, David Woodhouse wrote:
> > Going back to the issue of auditd shutdown, however -- are we satisfied
> > with merely generating records when the audit_pid is signalled, or
> > should I revert that patch while we seek a better solution?
>
> I've never seen kernel 19 log the signal.
I've now set up an i686 box too, and I'm definitely seeing the signal
get logged correctly there too. In audit.27 (which is currently
building) I've added a printk as well, so we'll know for sure that the
message is being generated. I suspect you're just seeing that auditd is
dropping the message before it shuts down.
type=KERNEL msg=audit(1114795432.814:0): attempt to signal audit daemon: error=0 signal=15 pid=4068 auid=-1
type=DAEMON msg=auditd(1114795432) auditd normal halt, pid=4059, uid=0
--
dwmw2
More information about the Linux-audit
mailing list