how to audit auditd itself ?
Steve Grubb
sgrubb at redhat.com
Fri Sep 1 15:11:00 UTC 2017
On Friday, September 1, 2017 8:58:47 AM EDT Maupertuis Philippe wrote:
> The 30-pci-dss-v31.rules in the doc directory contains the following
> statement : ## 10.2.6 Verify the following are logged:
> ## Initialization of audit logs
> ## Stopping or pausing of audit logs.
> ## These are handled implicitly by auditd
>
> This very good since nothing need to be done, but how can I actually find
> when these events occur ?
DAEMON_START
DAEMON_END
> I am not sure what means "pausing of audit logs",
> can we really "pause" auditd ?
In a sense you can by stopping the service.
-Steve
More information about the Linux-audit
mailing list