How to monitor audit/audispd killed
Matthew Chao
mathewchao at gmail.com
Mon Jan 4 12:10:29 UTC 2016
Hi,
I added the following rules in audit.rules for monitoring auditd/audispd be
killed(audit ver: 1.8),
=============
-a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
-a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
Or
-a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
-a exit,always -S kill -F path=/var/run/audispd_events -k cfg
=============
However, these rules don't work: even the processes (auditd/audispd) are
killed, I can't get any related messages except DAEMON_END.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160104/e6e4f76c/attachment.htm>
More information about the Linux-audit
mailing list