audit-0.6.7 released
Steve Grubb
sgrubb at redhat.com
Thu Mar 10 22:02:49 UTC 2005
On Thursday 10 March 2005 15:55, Debora Velarde wrote:
> But I'm not sure that enabled really is 1. Because if you start adding
> rules and executing syscalls, the audit records go to /var/log/messages
> instead of /var/log/audit.log.
This sounds like the kernel bug that I was chasing over the weekend. What
kernel are you using? I'm using the latest from the yum repo (I think .11)
and don't see this problem.
If enabled is 1 & the pid matches the audit daemon's, the audit daemon had
better get the packets or there's a kernel problem. The kernel decides the
packet disposition between auditd & syslog.
-Steve
More information about the Linux-audit
mailing list