Audit for live supervision
Kay Hayen
kayhayen at gmx.de
Tue Aug 19 21:35:14 UTC 2008
Hello Steve,
you wrote:
> > I don't really understand why it is helping security, if I need to kill
> > auditd before I can open the netlink socket. For both I need root rights.
>
> The queueing is complicated and if you have a group of processes it gets
> real messy. The audit queue tries hard for guaranteed delivery or take the
> system down if the flow is not working right. Its not like syslog or
> iptables logging.
Ah I see! So I misread "security" to mean "prevent access" where it's
actually "security" as in "not possibly corrupted data", and that's very
welcome. Sorry about the confusion.
BTW: I looked at auditctl source and did some test, and it seems the rules can
be set by using auditctl even without auditd running. So that means we don't
have to do that ourselves.
Best regards,
Kay Hayen
More information about the Linux-audit
mailing list