On this version of audit-0.6.7, I noticed when you first start auditd, if you do
"service auditd start"
"auditctl -s"
It returns: "AUDIT_STATUS: enabled=1 flag=1 pid=6695 rate_limit=0 backlog_limit=64 lost=0 backlog=0"
But I'm not sure that enabled really is 1. Because if you start adding rules and executing syscalls, the audit records go to /var/log/messages instead of /var/log/audit.log.
But if you do:
"service auditd start"
"auditctl -s" (returns "AUDIT_STATUS: enabled=1 flag=1 pid=6723 rate_limit=0 backlog_limit=64 lost=0 backlog=0"
"auditctl -e 1" (returns "AUDIT_STATUS: enabled=1 flag=1 pid=6723 rate_limit=0 backlog_limit=64 lost=0 backlog=0")
Add rules and execute syscalls. Then the audit records will go to /var/log/audit.log.
This also occurs on audit-0.6.6 but not on audit-0.6.4. With audit-0.6.4, audit records will go to /var/log/audit.log without having to set "auditctl -e 1" after doing the restart.
Note, I observed this behavior with most , but not all of the syscalls I tried. 'chmod' is one example. But 'open' seems to always go to /var/log/audit.log, regardless of whether or not I did the 'auditctl -e 1'.
-debbie