[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit-0.6.7 released



I am using kernel: 2.6.11-1.1176_FC4.
Inactive hide details for Steve Grubb <sgrubb redhat com>Steve Grubb <sgrubb redhat com>


          Steve Grubb <sgrubb redhat com>
          Sent by: linux-audit-bounces redhat com

          03/10/2005 04:02 PM

          Please respond to
          Linux Audit Discussion

To

Linux Audit Discussion <linux-audit redhat com>

cc


Subject

Re: audit-0.6.7 released

On Thursday 10 March 2005 15:55, Debora Velarde wrote:
> But I'm not sure that enabled really is 1.  Because if you start adding
> rules and executing syscalls, the audit records go to /var/log/messages
> instead of /var/log/audit.log.

This sounds like the kernel bug that I was chasing over the weekend. What
kernel are you using? I'm using the latest from the yum repo (I think .11)
and don't see this problem.

If enabled is 1 & the pid matches the audit daemon's, the audit daemon had
better get the packets or there's a kernel problem. The kernel decides the
packet disposition between auditd & syslog.

-Steve

--
Linux-audit mailing list
Linux-audit redhat com
http://www.redhat.com/mailman/listinfo/linux-audit

GIF image

GIF image

GIF image


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]