From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Running auditd from inittab
Date: Fri, 2 Feb 2007 15:24:38 -0500
Message-ID: <200702021524.38799.sgrubb@redhat.com>
References: <1170421372.6772.22.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1170421372.6772.22.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 02 February 2007 08:02, Matthew Booth wrote:
> I was testing various failures of auditd, and amongst them I tested kill
> -SEGV and kill -KILL. I noticed that neither of these generate any audit 
> event or log activity.

KILL is uncatchable and SEGV would mean that the audit daemon is about to die, 
so no writing would be possible.

> It occurs to me that this could be worked around, and at the same time you
> could provide some additional level of reliability, if auditd could be run
> from inittab.

It was never intended to be run from that.

> Unfortunately, the only option to auditd seems to be -f, and this prevents
> it from logging in the normal manner.

-f is for foreground debug.

> Are there any other options which might achieve this?

No.

> If not, is this a reasonable feature request?

I'm not sure. There are the issues of how to get rules loaded and logging 
partition availability.

-Steve