Re: How to monitor audit/audispd killed
my syslogd was disabled.
Also, after auditd restarting, those messages don't appear anymore.
I want to know if auditd ( and its child process: audispd) can monitor
themselves killed or not.
On Monday, January 4, 2016, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 16/01/04, Matthew Chao wrote:
> Hi,
>
> I added the following rules in audit.rules for monitoring auditd/audispd
be
> killed(audit ver: 1.8),
> =============
> -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
>
> Or
> -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -S kill -F path=/var/run/audispd_events -k cfg
> =============
>
> However, these rules don't work: even the processes (auditd/audispd) are
> killed, I can't get any related messages except DAEMON_END.
Is that because auditd is no longer there to receive that message? Did
it show up in syslog or were you able to re-start auditd before the hold
queue overflowed to be able to pick up those messages?
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com <javascript:;>>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating
Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
Attachments:
- attachment.html (text/html — 1.7 KB)