Audit for live supervision
Kay Hayen
kayhayen at gmx.de
Tue Aug 19 20:33:58 UTC 2008
Hello Steve,
> > Can you confirm that two processes opening netlink sockets for audit
> > information get the same messages?
>
> Only one audit pid is allowed for security purposes.
Damn security. I saw that patch while googling, and hoped it wasn't merged,
but seems it was.
I don't really understand why it is helping security, if I need to kill auditd
before I can open the netlink socket. For both I need root rights.
There isn't any SELinux in the play, is there?
Because if that were the case, we could e.g. only open the netlink socket with
the auditd binary. That would be effective, and configuration we could then
change.
But probably pointless to waiste your time on this, given how little I
understand security. I just can't resist, feels like a bike-shed and really
annoying limitation for our non-security interested system. :-)
Best regards,
Kay Hayen
More information about the Linux-audit
mailing list