>You have a race condition where auditd gets a signal to shutdown and an event >indicating that shutdown is occurring. On shutdown, the audit daemon does not >alter the rules or whether auditing is enabled. (This was to get shutdown AVCs >for selinux.) There is a chance that your event is in syslog's files.
For clarity, I am still not sure whether audit rules can be written to monitor auditd/auispd killed or not (syslog was disabled under my circumstances ). If yes, could you give me some tips? Thanks.
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit