Re: init and its direct children not audited?
On Wednesday 15 August 2007 10:51:21 Matthew Booth wrote:
Does this ring any bells?
Yes.
Is there some other method of process creation I'm not aware of?
Is init
intentionally not audited, and if so, how do I audit it?
You must have the audit=1 boot parameter to audit any process that is created
before auditd runs. This is in the man page under NOTES.
-Steve