log messages
Steve Grubb
sgrubb at redhat.com
Fri Nov 2 18:39:00 UTC 2007
On Friday 02 November 2007 01:51:54 pm Bill Tangren wrote:
>
> Nov 2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500
> removed an audit rule
>
> What does this mean?
It means that the user logged in under acct 500 either deleted an audit rule
by hand or ran a script that did. On shutdown, the audit daemon init script
will delete rules unless you tell it not to in /etc/sysconfig/audit.
> Does it mean that some of my rules in
> /etc/audit.rules are improper, and the server is removing them?
Most likely the initscript is removing the rules since you said it was on a
restart.
-Steve
More information about the Linux-audit
mailing list