Is audit really disabled?
Steve Grubb
sgrubb at redhat.com
Wed Aug 10 20:52:07 UTC 2005
On Wednesday 10 August 2005 16:41, James Morris wrote:
> Yes, I think they are login messages.
OK. That bug has a patch. In kernel/audit.c, audit_receive_msg(), sb:
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
if (!audit_enabled && msg_type != AUDIT_USER_AVC)
return 0;
> Why is kauditd still running?
In case any messages need to get written to auditd. Not sure if we want to
start and stop that thread based on audit_pid being/not being set. I would
defer that decision to David.
-Steve
More information about the Linux-audit
mailing list