EXT :Re: audit.rules setting
Steve Grubb
sgrubb at redhat.com
Tue Mar 22 14:40:42 UTC 2016
On Tuesday, March 22, 2016 02:26:33 PM Boyce, Kevin P wrote:
> With regard to this subject I don't know if it is possible, but it bothers
> me when shutting down a system that you get errors (when -e 2 is enabled)
> when auditd is stopping. That might be unavoidable though.
If this is a sysVinit system, then there are variables in /etc/sysconfig/auditd
such as AUDITD_CLEAN_STOP that determine what the init script does.
If you have a systemd based init system, then by default it does not modify
rules like the sysVinit one does. It does have a ExecStopPost= variable that
can be modified if you wanted to clear rules on shutdown.
-Steve
> -----Original Message-----
> From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com]
> On Behalf Of Steve Grubb Sent: Tuesday, March 22, 2016 10:06 AM
> To: linux-audit at redhat.com
> Subject: EXT :Re: audit.rules setting
>
> On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
> > Does the "-e 2" have to be the last line of the audit.rules file?
>
> Yes. Once its sent to the kernel, the kernel rules tables are immutable.
>
> > Does it have to be listed prior to all of the syscalls and watches
> > configured in the file?
>
> No. This will make it not load anything.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list