audit messages when there's no audit daemon
David Woodhouse
dwmw2 at infradead.org
Wed Jun 22 11:22:44 UTC 2005
On Wed, 2005-06-22 at 06:56 -0400, Steve Grubb wrote:
> > Why isn't audit disabled at this point?
>
> Which program would be responsible for disabling the audit system?
> init?
I was thinking that either auditd should be running or the audit system
should have been disabled.
> Also, there are actions that occur on shutdown that SE Linux people need to
> see in order to correct policy. So, we can't affect AVC messages including
> USER_AVC.
So we should exempt USER_AVC messages from the patch which discards user
messages when audit_enabled == 0? I can do that in a new kernel build.
--
dwmw2
More information about the Linux-audit
mailing list