From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Booth <mbooth@redhat.com>
Subject: Running auditd from inittab
Date: Fri, 02 Feb 2007 13:02:52 +0000
Message-ID: <1170421372.6772.22.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1769543399=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from [192.168.250.101] (sebastian-int.corp.redhat.com
	[172.16.52.221])
	by pobox.surrey.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	l12JpA4f024524
	for <linux-audit@redhat.com>; Fri, 2 Feb 2007 19:51:12 GMT
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============1769543399==
Content-Type: multipart/alternative; boundary="=-676K75aOBXsYi0peTbCE"


--=-676K75aOBXsYi0peTbCE
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

I was testing various failures of auditd, and amongst them I tested kill
-SEGV and kill -KILL. I noticed that neither of these generate any audit
event or log activity. It occurs to me that this could be worked around,
and at the same time you could provide some additional level of
reliability, if auditd could be run from inittab. Unfortunately, the
only option to auditd seems to be -f, and this prevents it from logging
in the normal manner.

Are there any other options which might achieve this? If not, is this a
reasonable feature request?

Thanks,

Matt
-- 
Red Hat, Global Professional Services

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

--=-676K75aOBXsYi0peTbCE
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.12.0">
</HEAD>
<BODY>
I was testing various failures of auditd, and amongst them I tested kill -SEGV and kill -KILL. I noticed that neither of these generate any audit event or log activity. It occurs to me that this could be worked around, and at the same time you could provide some additional level of reliability, if auditd could be run from inittab. Unfortunately, the only option to auditd seems to be -f, and this prevents it from logging in the normal manner.<BR>
<BR>
Are there any other options which might achieve this? If not, is this a reasonable feature request?<BR>
<BR>
Thanks,<BR>
<BR>
Matt<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<PRE>
-- 
Red Hat, Global Professional Services

M:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; +44 (0)7977 267231
GPG ID:&nbsp; D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
</PRE>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-676K75aOBXsYi0peTbCE--


--===============1769543399==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1769543399==--