init and its direct children not audited?

[Steve Grubb]

On Wednesday 15 August 2007 10:51:21 Matthew Booth wrote:
> Does this ring any bells?

Yes.

> Is there some other method of process creation I'm not aware of? Is init
> intentionally not audited, and if so, how do I audit it?

You must have the audit=1 boot parameter to audit any process that is created 
before auditd runs. This is in the man page under NOTES.

-Steve