init and its direct children not audited?
Steve Grubb
sgrubb at redhat.com
Wed Aug 15 21:18:40 UTC 2007
On Wednesday 15 August 2007 10:51:21 Matthew Booth wrote:
> Does this ring any bells?
Yes.
> Is there some other method of process creation I'm not aware of? Is init
> intentionally not audited, and if so, how do I audit it?
You must have the audit=1 boot parameter to audit any process that is created
before auditd runs. This is in the man page under NOTES.
-Steve
More information about the Linux-audit
mailing list