Re: audit audtid's syscall?
I ran into the same problem - you can solve it with a little script that
starts auditd:
#!/bin/bash
/etc/init.d/auditd restart || exit 1
/sbin/auditctl -e 1
PID=`ps x | grep auditd | grep -v grep | cut -c 2-5`
if [ -z "$PID" ] ; then
exit 2;
fi
/sbin/auditctl -a entry,always -S all -F pid!=$PID || exit3
Hope it helps.
Avishay Traeger
On Thu, 2005-02-03 at 23:15 +0900, Junji Kanemaru wrote:
> auditctl -a entry,never -S all -F pid=XXXX
I see. Thank you for the info.
>>2)add option to use netlink_broadcast for kernel
>>audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
>>causes syslog write.
>
>
> I don't want the audit log polluted with kernel error messages. I think they
> belong in syslog.
Yeah, but isn't it nice to have if auditd can get kernel audit warnings with
netlink channel before panic? For example if auditd can check
audit_backlog_limit then auditd can do some safer action before
sudden kernel panic... I'm not saying completely replace it, just another
event for auditd.
--
Avishay Traeger <atraeger(a)cs.sunysb.edu>