audit audtid's syscall?
Junji Kanemaru
linux at linuon.com
Thu Feb 3 14:15:44 UTC 2005
> auditctl -a entry,never -S all -F pid=XXXX
I see. Thank you for the info.
>>2)add option to use netlink_broadcast for kernel
>>audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
>>causes syslog write.
>
>
> I don't want the audit log polluted with kernel error messages. I think they
> belong in syslog.
Yeah, but isn't it nice to have if auditd can get kernel audit warnings with
netlink channel before panic? For example if auditd can check
audit_backlog_limit then auditd can do some safer action before
sudden kernel panic... I'm not saying completely replace it, just another
event for auditd.
--
Junji Kanemaru
Linuon Inc.
Tokyo Japan
More information about the Linux-audit
mailing list