Removal of audit rules with audit start
Steve Grubb
sgrubb at redhat.com
Tue Feb 15 14:10:02 UTC 2005
On Monday 14 February 2005 15:32, Kris Wilson wrote:
> I found that when I stop auditd, any existing audit rules still exist, but
> they are deleted when I restart using audit-0.6.2. Is this new behavior
> deliberate and preferred?
Yes. It wasn't done with your test suite in mind, but as a first round attempt
to solve real production server issues. The preferred way to "reload" rules
is:
service auditd restart
This means that it terminates the audit daemon, re-runs it, deletes the rules
and reloads the rules. I'm still looking this over and may tweak it some more
in the next release. I may make a "reload" target that doesn't stop the
daemon, but just reloads the auditctl rules.
I'm not sure a sighup makes sense for this daemon. I'd have to re-architect
some of it to stop the logging thread and make a new logging thread with new
config data. I plan to revisit this issue down the road after seeing how the
current version works out.
> Is there a new option to not delete rules on startup?
No.
> All our tests are stopping and restarting auditd between assertions and
> cleaning out the log file to reduce clutter. We'll need to change the tests
> if this will no longer work.
What I would suggest is commenting out the -D at the top of /etc/audit.rules.
Or maybe you want many different audit.rules files and your test script swaps
out the file between "runs".
Thanks,
-Steve Grubb
More information about the Linux-audit
mailing list