I was wondering, based on the amounts of sleeps we are needed to put into our test cases (and this might already have been said, if so, keep the flames to a low simmer) is there some way to change auditd stop to have it capture all of the messages up until the point where the stop was issued?
Seems to me that while this change doesn't have to come now, it would be a nice addition in the future. Perhaps having the auditd stop insert a message into the queue (if thats possible?) and have auditd die when it seems that message, as opposed to just dropping dead when the stop is made, causing a possible (and highly probable, happens all the time with our tests if they don't have sleeps) loss of information.
Thought I'd mention it if no one hasn't yet.
BTW, if this isn't in plaintext, let me know, until this point it has been.