On Friday 02 February 2007 08:02, Matthew Booth wrote: > I was testing various failures of auditd, and amongst them I tested kill > -SEGV and kill -KILL. I noticed that neither of these generate any audit > event or log activity.
KILL is uncatchable and SEGV would mean that the audit daemon is about to die, so no writing would be possible. > It occurs to me that this could be worked around, and at the same time you > could provide some additional level of reliability, if auditd could be run > from inittab. It was never intended to be run from that. > Unfortunately, the only option to auditd seems to be -f, and this prevents > it from logging in the normal manner. -f is for foreground debug. > Are there any other options which might achieve this? No. > If not, is this a reasonable feature request? I'm not sure. There are the issues of how to get rules loaded and logging partition availability. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
