auditd stop suggestion
Michael C Thompson
mcthomps at us.ibm.com
Tue Jun 14 15:30:24 UTC 2005
I was wondering, based on the amounts of sleeps we are needed to put into
our test cases (and this might already have been said, if so, keep the
flames to a low simmer) is there some way to change auditd stop to have it
capture all of the messages up until the point where the stop was issued?
Seems to me that while this change doesn't have to come now, it would be a
nice addition in the future. Perhaps having the auditd stop insert a
message into the queue (if thats possible?) and have auditd die when it
seems that message, as opposed to just dropping dead when the stop is made,
causing a possible (and highly probable, happens all the time with our
tests if they don't have sleeps) loss of information.
Thought I'd mention it if no one hasn't yet.
Mike
BTW, if this isn't in plaintext, let me know, until this point it has been.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050614/9a976a34/attachment.htm>
More information about the Linux-audit
mailing list