How to monitor audit/audispd killed
You have a race condition where auditd gets a signal to shutdown and
an
event
indicating that shutdown is occurring. On shutdown, the audit daemon
does
not
alter the rules or whether auditing is enabled. (This was to get
shutdown
AVCs
for selinux.) There is a chance that your event is in syslog's
files.
For clarity, I am still not sure whether audit rules can be written to
monitor auditd/auispd killed or not (syslog was disabled under my
circumstances ).
If yes, could you give me some tips? Thanks.
Attachments:
- attachment.html (text/html — 608 bytes)