Removal of audit rules with audit start
Kris Wilson
krisw at us.ibm.com
Mon Feb 14 20:32:36 UTC 2005
Hi,
I found that when I stop auditd, any existing audit rules still exist, but
they are
deleted when I restart using audit-0.6.2. Is this new behavior deliberate
and
preferred? Is there a new option to not delete rules on startup? All our
tests
are stopping and restarting auditd between assertions and cleaning out the
log file to reduce clutter. We'll need to change the tests if this will no
longer
work. If users have a lot of rules created but have to bring down auditd
for
some reason, won't this be a problem?
Thanks!
Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050214/395ca9af/attachment.htm>
More information about the Linux-audit
mailing list