auditing auditctl
Linda Knippers
linda.knippers at hp.com
Fri Jul 29 20:30:54 UTC 2005
If there's no auditd running, then I don't think the kernel will know
which process/threads to exclude since its using auditd's pid to decide
that. Even then, wouldn't auditctl's open/close syscalls be audited
with the rules you're using? What would cause them to be excluded?
What do the audit records look like?
-- ljk
Amy Griffis wrote:
> Hello,
>
> I've discovered another situation where audit is still auditing
> itself. When I have audit enabled but I'm not running the daemon, and
> add rules like:
>
> # auditctl -a entry,always -S open
> # auditctl -a entry,always -S close
>
> Doing something like 'auditctl -l' floods the console with audit
> records.
>
> Has anyone else seen this? I'm running the .81 kernel.
>
> Thanks,
> Amy
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list