audit audtid's syscall?
Avishay Traeger
atraeger at cs.sunysb.edu
Thu Feb 3 16:08:08 UTC 2005
I ran into the same problem - you can solve it with a little script that
starts auditd:
#!/bin/bash
/etc/init.d/auditd restart || exit 1
/sbin/auditctl -e 1
PID=`ps x | grep auditd | grep -v grep | cut -c 2-5`
if [ -z "$PID" ] ; then
exit 2;
fi
/sbin/auditctl -a entry,always -S all -F pid!=$PID || exit3
Hope it helps.
Avishay Traeger
On Thu, 2005-02-03 at 23:15 +0900, Junji Kanemaru wrote:
> > auditctl -a entry,never -S all -F pid=XXXX
>
> I see. Thank you for the info.
>
> >>2)add option to use netlink_broadcast for kernel
> >>audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
> >>causes syslog write.
> >
> >
> > I don't want the audit log polluted with kernel error messages. I think they
> > belong in syslog.
>
> Yeah, but isn't it nice to have if auditd can get kernel audit warnings with
> netlink channel before panic? For example if auditd can check
> audit_backlog_limit then auditd can do some safer action before
> sudden kernel panic... I'm not saying completely replace it, just another
> event for auditd.
>
--
Avishay Traeger <atraeger at cs.sunysb.edu>
More information about the Linux-audit
mailing list