On Tuesday 19 August 2008 17:35:14 Kay Hayen wrote:
BTW: I looked at auditctl source and did some test, and it seems the
rules
can be set by using auditctl even without auditd running. So that means we
don't have to do that ourselves.
Sort of. The initscripts of auditd load the rules using
auditctl -R /etc/audit/audit.rules. So, you'd want to do that in your
initscript if you decide to replace auditd.
-Steve