Re: audit audtid's syscall?
auditctl -a entry,never -S all -F pid=XXXX
I see. Thank you for the info.
>2)add option to use netlink_broadcast for kernel
>audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
>causes syslog write.
I don't want the audit log polluted with kernel error messages. I think they
belong in syslog.
Yeah, but isn't it nice to have if auditd can get kernel audit warnings with
netlink channel before panic? For example if auditd can check
audit_backlog_limit then auditd can do some safer action before
sudden kernel panic... I'm not saying completely replace it, just another
event for auditd.
--
Junji Kanemaru
Linuon Inc.
Tokyo Japan