my syslogd was disabled. Also, after auditd restarting, those messages don't appear anymore.
I want to know if auditd ( and its child process: audispd) can monitor themselves killed or not. On Monday, January 4, 2016, Richard Guy Briggs <r...@redhat.com> wrote: > On 16/01/04, Matthew Chao wrote: > > Hi, > > > > I added the following rules in audit.rules for monitoring auditd/audispd > be > > killed(audit ver: 1.8), > > ============= > > -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg > > > > -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg > > > > Or > > -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg > > > > -a exit,always -S kill -F path=/var/run/audispd_events -k cfg > > ============= > > > > However, these rules don't work: even the processes (auditd/audispd) are > > killed, I can't get any related messages except DAEMON_END. > > Is that because auditd is no longer there to receive that message? Did > it show up in syslog or were you able to re-start auditd before the hold > queue overflowed to be able to pick up those messages? > > > - RGB > > -- > Richard Guy Briggs <rbri...@redhat.com <javascript:;>> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating > Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 >
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit