Hi,

I found that when I stop auditd, any existing audit rules still exist, but they are
deleted when I restart using audit-0.6.2. Is this new behavior deliberate and
preferred? Is there a new option to not delete rules on startup? All our tests
are stopping and restarting auditd between assertions and cleaning out the
log file to reduce clutter. We'll need to change the tests if this will no longer
work. If users have a lot of rules created but have to bring down auditd for
some reason, won't this be a problem?

Thanks!


Kris Wilson
Linux Security
(512) 838-0126 T/L:678-0126
krisw@us.ibm.com