I was testing various failures of auditd, and amongst them I tested kill -SEGV and kill -KILL. I noticed that neither of these generate any audit event or log activity. It occurs to me that this could be worked around, and at the same time you could provide some additional level of reliability, if auditd could be run from inittab. Unfortunately, the only option to auditd seems to be -f, and this prevents it from logging in the normal manner.
Are there any other options which might achieve this? If not, is this a reasonable feature request?
Thanks,
Matt
--
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490