How to monitor audit/audispd killed

[Matthew Chao]

Hi,

I added the following rules in audit.rules for monitoring auditd/audispd be
killed(audit ver: 1.8),
=============
-a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg

-a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg

Or
-a exit,always -S kill -F path=/var/run/auditd.pid -k cfg

-a exit,always -S kill -F path=/var/run/audispd_events -k cfg
=============

However, these rules don't work: even the processes (auditd/audispd) are
killed, I can't get any related messages except DAEMON_END.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160104/e6e4f76c/attachment.htm>