How to monitor audit/audispd killed
Matthew Chao
mathewchao at gmail.com
Mon Jan 4 19:29:31 UTC 2016
>You have a race condition where auditd gets a signal to shutdown and an
event
>indicating that shutdown is occurring. On shutdown, the audit daemon does
not
>alter the rules or whether auditing is enabled. (This was to get shutdown
AVCs
>for selinux.) There is a chance that your event is in syslog's files.
For clarity, I am still not sure whether audit rules can be written to
monitor auditd/auispd killed or not (syslog was disabled under my
circumstances ).
If yes, could you give me some tips? Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160105/1f0fb38b/attachment.htm>
More information about the Linux-audit
mailing list