How to monitor audit/audispd killed
Matthew Chao
mathewchao at gmail.com
Mon Jan 4 19:49:57 UTC 2016
my syslogd was disabled.
Also, after auditd restarting, those messages don't appear anymore.
I want to know if auditd ( and its child process: audispd) can monitor
themselves killed or not.
On Monday, January 4, 2016, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 16/01/04, Matthew Chao wrote:
> > Hi,
> >
> > I added the following rules in audit.rules for monitoring auditd/audispd
> be
> > killed(audit ver: 1.8),
> > =============
> > -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
> >
> > -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
> >
> > Or
> > -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
> >
> > -a exit,always -S kill -F path=/var/run/audispd_events -k cfg
> > =============
> >
> > However, these rules don't work: even the processes (auditd/audispd) are
> > killed, I can't get any related messages except DAEMON_END.
>
> Is that because auditd is no longer there to receive that message? Did
> it show up in syslog or were you able to re-start auditd before the hold
> queue overflowed to be able to pick up those messages?
>
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs at redhat.com <javascript:;>>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating
> Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160105/3365924a/attachment.htm>
More information about the Linux-audit
mailing list