Re: auditd stop suggestion
Right you need to add a sleep. audit records do not show up
instantaneously.
How long it takes could be subject to debate. I'd be more
interested in
figuring that out.
I'll look into that, maybe we can find an answer, architecture, hardware &
load dependent of course.
> As it was explained to me, the way the stop works is when auditd
is
told to
> "stop", the daemon dies,
Not really. It goes through a series of steps to stop processing andwrite
the
shutdown record. It does not just die.
I think you took it a little too literally, but thats ok. I'll forgive you
this once ;)
> OK, good point. I remember it being mention during a meeting,
but was
there
> any further discussion about a "auditd stop" &
"auditd shutdown"
option?
No.
Deemed unnessecary & therefore pointless to further the debate?
- Mike
Attachments:
- attachment.html (text/html — 1.1 KB)