Double addition of rule yields two log messages
Linda Knippers
linda.knippers at hp.com
Fri May 19 18:47:45 UTC 2006
>>Speaking of ausearch, I just noticed that it emits this message:
>>>
>>> # /sbin/ausearch -m CONFIG_CHANGE -i
>>> Warning - freq is non-zero and incremental flushing not selected.
>
> That comes from the config file parser. You've got a problem
> in /etc/audit/auditd.conf that should be fixed.
Its true that my auditd.conf (which I don't think I've ever
modified) has freq = 20 and flush = SYNC. I assume that SYNC
means that freq is ignored. The manpage says freq is only valid
if flush=incremental so it seems like an unnecessary warning.
But why does ausearch care? Seems like if anything cared it
would be the auditd but I can't find an error or warning from
it anywhere. Seems really odd that this message comes from
ausearch.
-- ljk
More information about the Linux-audit
mailing list