audit system still audits auditd
Steve Grubb
sgrubb at redhat.com
Wed Jun 15 22:56:46 UTC 2005
I was doing a test:
auditctl -a entry,always -S all -F auid=-1
It turns out this tends to report auditd doing things:
type=SYSCALL msg=audit(1118858393.806:1338447): arch=40000003 syscall=240
success=yes exit=1 a0=b8ce64 a1=1 a2=1 a3=a79a208 items=0 pid=1716
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditd" exe="/sbin/auditd"
type=SYSCALL msg=audit(1118858393.806:1338456): arch=40000003 syscall=4
success=yes exit=254 a0=5 a1=b7fff000 a2=fe a3=fe items=0 pid=1716
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditd" exe="/sbin/auditd"
type=SYSCALL msg=audit(1118858393.806:1338459): arch=40000003 syscall=197
success=yes exit=0 a0=5 a1=b7fe81bc a2=659ff4 a3=b7fe81bc items=0 pid=1716
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="auditd" exe="/sbin/auditd"
Of course, the audit system dies in about 15 seconds since each record
generates 10 new events.
-Steve
More information about the Linux-audit
mailing list