RE: Audit reporting Invalid argument
Thanks Steve and Richard for your response.
I will provide the fix soon.
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> Not today. The check for uid 0 is a poor man's check for
> CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root
user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a couple lines
of code. But you still have the permissions of the directories that hold the rules to
correct. Easy to fix, but I think you might be fighting the distribution's package
manager which would set things back to root every update.
Regarding suppression of events, I will do some testing and let you
know later.
Is there a way I can avoid default logging of the audit events to
/var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use log_format =
NOLOG. If you have a current copy, then use write_logs = no.
-Steve
I do not want audit to log audit events to audit.log, however I will
capture them using my plug-in. Is there a way I can accomplish this? I
tried to commenting the log_file filed from auditd.conf, however the
events are still written to audit.log. I think below code from
auditd-config.c is causing audit to write to audit.log
config->log_file = strdup("/var/log/audit/audit.log");