audit messages when there's no audit daemon
Steve Grubb
sgrubb at redhat.com
Wed Jun 22 11:36:05 UTC 2005
On Wednesday 22 June 2005 07:22, David Woodhouse wrote:
> > Which program would be responsible for disabling the audit system?
> > init?
>
> I was thinking that either auditd should be running or the audit system
> should have been disabled.
hwclock sync is done after auditd is shutdown. auditd doesn't know the system
is going down, "service auditd stop" doesn't really express that. Also,
syslog exits very early in the shutdown, so these really only go to console
screen.
> > Also, there are actions that occur on shutdown that SE Linux people need
> > to see in order to correct policy. So, we can't affect AVC messages
> > including USER_AVC.
>
> So we should exempt USER_AVC messages from the patch which discards user
> messages when audit_enabled == 0? I can do that in a new kernel build.
Yes. USER_AVC and the whole SE Linux message type range can/should be
displayed to console. However, I still wonder if that could be user
configurable. In other words, should user message types have KERN_ERR or
KERN_NOTICE (with the exception of USER_AVC)?
-Steve
More information about the Linux-audit
mailing list