Re: Fwd: Re: Fw: Audit records for start/stop auditd
On Fri, 2005-04-08 at 12:10 -0500, Klaus Weidner wrote:
Sending SIGKILL auditd needs administrator privileges, and for CAPP
we
can assume/require them not to do that.
The pam_close_session record isn't required by CAPP, we had a discussion
about session end records some time ago. It's generally less reliable
than the start record anyway since the session close record doesn't mean
that all processes launched by that user have terminated; some may have
been backgrounded.
One answer to this might be to assign a unique 'session id' cookie at
login time, then store and log it with the loginuid at all times.
Going back to the issue of auditd shutdown, however -- are we satisfied
with merely generating records when the audit_pid is signalled, or
should I revert that patch while we seek a better solution?
--
dwmw2