Re: Audit for live supervision
Hello Steve,
you wrote:
> I don't really understand why it is helping security, if I
need to kill
> auditd before I can open the netlink socket. For both I need root rights.
The queueing is complicated and if you have a group of processes it gets
real messy. The audit queue tries hard for guaranteed delivery or take the
system down if the flow is not working right. Its not like syslog or
iptables logging.
Ah I see! So I misread "security" to mean "prevent access" where
it's
actually "security" as in "not possibly corrupted data", and
that's very
welcome. Sorry about the confusion.
BTW: I looked at auditctl source and did some test, and it seems the rules can
be set by using auditctl even without auditd running. So that means we don't
have to do that ourselves.
Best regards,
Kay Hayen