[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Removal of audit rules with audit start

On Monday 14 February 2005 15:32, Kris Wilson wrote:
> I found that when I stop auditd, any existing audit rules still exist, but
> they are deleted when I restart using audit-0.6.2.  Is this new behavior
> deliberate and preferred?  

Yes. It wasn't done with your test suite in mind, but as a first round attempt 
to solve real production server issues. The preferred way to "reload" rules 

service auditd restart

This means that it terminates the audit daemon, re-runs it, deletes the rules 
and reloads the rules. I'm still looking this over and may tweak it some more 
in the next release. I may make a "reload" target that doesn't stop the 
daemon, but just reloads the auditctl rules. 

I'm not sure a sighup makes sense for this daemon. I'd have to re-architect 
some of it to stop the logging thread and make a new logging thread with new 
config data. I plan to revisit this issue down the road after seeing how the 
current version works out.

> Is there a new option to not delete rules on startup?


> All our tests are stopping and restarting auditd between assertions and
> cleaning out the log file to reduce clutter.  We'll need to change the tests
> if this will no  longer work. 

What I would suggest is commenting out the -D at the top of /etc/audit.rules. 
Or maybe you want many different audit.rules files and your test script swaps 
out the file between "runs".

-Steve Grubb

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]