Not auditing dispatchers
Linda Knippers
linda.knippers at hp.com
Fri Jun 6 22:53:01 UTC 2008
You could construct your audit rules dynamically so that they
exclude the dispatcher. You'd have to know its pid and then have
a -F pid!= xxx option on your audit rules. I haven't tried that
but it should work. You'd have to re-do the rules if the dispatcher
was restarted so its kind of clunky.
I think the feature that LAuS had for letting trusted programs
enable/disable auditing of themselves was kind of handy.
-- ljk
Matthew Booth wrote:
> The kernel ignores auditable events from the audit daemon, but is there
> an 'approved' way to achieve the same for dispatchers? The problem is
> the same, in that you get an infinite loop if the dispatcher itself
> performs any action which generates an audit record.
>
> Thanks,
>
> Matt
More information about the Linux-audit
mailing list