Running auditd from inittab
Steve Grubb
sgrubb at redhat.com
Fri Feb 2 20:24:38 UTC 2007
On Friday 02 February 2007 08:02, Matthew Booth wrote:
> I was testing various failures of auditd, and amongst them I tested kill
> -SEGV and kill -KILL. I noticed that neither of these generate any audit
> event or log activity.
KILL is uncatchable and SEGV would mean that the audit daemon is about to die,
so no writing would be possible.
> It occurs to me that this could be worked around, and at the same time you
> could provide some additional level of reliability, if auditd could be run
> from inittab.
It was never intended to be run from that.
> Unfortunately, the only option to auditd seems to be -f, and this prevents
> it from logging in the normal manner.
-f is for foreground debug.
> Are there any other options which might achieve this?
No.
> If not, is this a reasonable feature request?
I'm not sure. There are the issues of how to get rules loaded and logging
partition availability.
-Steve
More information about the Linux-audit
mailing list