Fwd: Re: Fw: Audit records for start/stop auditd
Steve Grubb
sgrubb at redhat.com
Wed Apr 6 15:21:26 UTC 2005
On Wednesday 06 April 2005 10:50, Kris Wilson wrote:
> The current records are type DAEMON, and the messages state, "auditd start"
> and "auditd normal halt", so as far as administrator information, it is
> already clear what has happened.
I was thinking about exiting as soon as I see the message come though or a
timeout - whichever comes first. However, I cannot parse the messages since
we need to write them as fast as possible. By having another message type, I
can do this.
But this is completely avoided if I can get the information when the signal is
delivered.
BTW, If I send a SIGKILL to the audit daemon - it gets yanked out of memory by
the kernel without any courtesy. I wonder how this was covered by laus or is
this considered outside the bounds of what is reasonable? Same thing with a
user shell, there won't be a pam_close_session call.
For LSPP are there additional requirements that we should consider now so that
this doesn't come up "next time"?
-Steve
More information about the Linux-audit
mailing list