auditing auditctl
Amy Griffis
amy.griffis at hp.com
Fri Jul 29 22:17:54 UTC 2005
Amy Griffis wrote: [Fri Jul 29 2005, 04:17:12PM EDT]
> I've discovered another situation where audit is still auditing
> itself.
That was a bad diagnosis. The problem I see is an effect of running
sudo with this rule:
auditctl -a entry,always -S close
Using the following set of rules produces normal-looking behavior,
i.e. no audit record floods.
auditctl -w /usr/bin/sudo -p x
auditctl -a entry,possible -S close
My apologies for the false alarm.
Amy
More information about the Linux-audit
mailing list