[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit more syscalls during boot before auditd starts?



> But even if you successfully load rules early...you need a daemon to collect
> the results before the internal kernel buffer overflows and forever lose the
> events. So, this means getting the audit daemon running earlier and its main
> requirement is the MAC policy already be loaded and the disk system mounted
> (perhaps networking running if you use remote logging).

Thanks, Steve.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]