[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit audtid's syscall?



> auditctl -a entry,never -S all -F pid=XXXX

I see. Thank you for the info.

>>2)add option to use netlink_broadcast for kernel 
>>audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
>>causes syslog write.
> 
> 
> I don't want the audit log polluted with kernel error messages. I think they 
> belong in syslog.

Yeah, but isn't it nice to have if auditd can get kernel audit warnings with
netlink channel before panic? For example if auditd can check
audit_backlog_limit then auditd can do some safer action before
sudden kernel panic... I'm not saying completely replace it, just another
event for auditd.

-- 
Junji Kanemaru
Linuon Inc.
Tokyo Japan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]