Path ignored but syscall event still logged
Steve Grubb
sgrubb at redhat.com
Wed Dec 21 19:24:45 UTC 2011
On Wednesday, December 21, 2011 07:17:01 AM Max Williams wrote:
> Sorry, forgot to include that!
>
> [root at host1 ~]# uname -r
> 2.6.32-131.21.1.el6.x86_64
> [root at host1 ~]# auditctl -s
> AUDIT_STATUS: enabled=1 flag=0 pid=24173 rate_limit=0 backlog_limit=8192
> lost=124822501 backlog=0
Initial assessment, the kernel patch that discards events might only work on
open(2). Eric is looking to see if this can be safely broadened.
-Steve
> On Tuesday, December 20, 2011 12:55:49 PM Max Williams wrote:
> > How come this event is not ignored due to the 8th rule? I think I'm
> > missing something.
>
> One piece of information is missing. The enforcement of the audit policy is
> done by the kernel. What do you get for uname -r?
>
> -Steve
More information about the Linux-audit
mailing list