auditing auditctl
Klaus Weidner
klaus at atsec.com
Fri Jul 29 21:12:37 UTC 2005
On Fri, Jul 29, 2005 at 04:17:12PM -0400, Amy Griffis wrote:
> I've discovered another situation where audit is still auditing
> itself. When I have audit enabled but I'm not running the daemon, and
> add rules like:
>
> # auditctl -a entry,always -S open
> # auditctl -a entry,always -S close
>
> Doing something like 'auditctl -l' floods the console with audit
> records.
I wouldn't worry too much about this effect, since unconditionally
auditing all open and close calls is a really bad idea anyway; you'll
usually want "entry,possible" combined with watches instead. So unless it
goes into an infinite loop of audit records triggered by printing audit
records I'd consider this to be an acceptable oddity.
-Klaus
More information about the Linux-audit
mailing list