log messages - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

log messages

stopping "chatter"

(no subject)

Bill Tangren

Friday, 2 November 2007 Fri, 2 Nov '07

12:51 p.m.

When I restart my auditd daemon, I get a number of messages in /var/log/messages that look like this: Nov 2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500 removed an audit rule What does this mean? Does it mean that some of my rules in /etc/audit.rules are improper, and the server is removing them? TIA, Bill Tangren

Reply

Show replies by date

Steve Grubb

Friday, 2 November Fri, 2 Nov

1:39 p.m.

On Friday 02 November 2007 01:51:54 pm Bill Tangren wrote:

Nov 2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500 removed an audit rule What does this mean?

It means that the user logged in under acct 500 either deleted an audit rule by hand or ran a script that did. On shutdown, the audit daemon init script will delete rules unless you tell it not to in /etc/sysconfig/audit.

Does it mean that some of my rules in /etc/audit.rules are improper, and the server is removing them?

Most likely the initscript is removing the rules since you said it was on a restart. -Steve

Reply

6260

days inactive

6260

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Bill Tangren
Steve Grubb