Re: Fwd: Re: Fw: Audit records for start/stop auditd
On Wednesday 06 April 2005 10:50, Kris Wilson wrote:
The current records are type DAEMON, and the messages state,
"auditd start"
and "auditd normal halt", so as far as administrator information, it is
already clear what has happened.
I was thinking about exiting as soon as I see the message come though or a
timeout - whichever comes first. However, I cannot parse the messages since
we need to write them as fast as possible. By having another message type, I
can do this.
But this is completely avoided if I can get the information when the signal is
delivered.
BTW, If I send a SIGKILL to the audit daemon - it gets yanked out of memory by
the kernel without any courtesy. I wonder how this was covered by laus or is
this considered outside the bounds of what is reasonable? Same thing with a
user shell, there won't be a pam_close_session call.
For LSPP are there additional requirements that we should consider now so that
this doesn't come up "next time"?
-Steve