RE: EXT :Re: audit.rules setting
With regard to this subject I don't know if it is possible, but it bothers me when
shutting down a system that you get errors (when -e 2 is enabled) when auditd is
stopping.
That might be unavoidable though.
Kevin Boyce
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of
Steve Grubb
Sent: Tuesday, March 22, 2016 10:06 AM
To: linux-audit(a)redhat.com
Subject: EXT :Re: audit.rules setting
On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote:
Does the "-e 2" have to be the last line of the audit.rules
file?
Yes. Once its sent to the kernel, the kernel rules tables are immutable.
Does it have to be listed prior to all of the syscalls and watches
configured in the file?
No. This will make it not load anything.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit