From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kay Hayen Subject: Re: Audit for live supervision Date: Tue, 19 Aug 2008 23:35:14 +0200 Message-ID: <200808192335.14169.kayhayen@gmx.de> References: <200808140914.07779.kayhayen@gmx.de> <200808192233.59007.kayhayen@gmx.de> <200808191647.16340.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7JLZW8o025545 for ; Tue, 19 Aug 2008 17:35:32 -0400 Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx3.redhat.com (8.13.8/8.13.8) with SMTP id m7JLZKs0004886 for ; Tue, 19 Aug 2008 17:35:21 -0400 In-Reply-To: <200808191647.16340.sgrubb@redhat.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, alex@segv.de List-Id: linux-audit@redhat.com Hello Steve, you wrote: > > I don't really understand why it is helping security, if I need to kill > > auditd before I can open the netlink socket. For both I need root rights. > > The queueing is complicated and if you have a group of processes it gets > real messy. The audit queue tries hard for guaranteed delivery or take the > system down if the flow is not working right. Its not like syslog or > iptables logging. Ah I see! So I misread "security" to mean "prevent access" where it's actually "security" as in "not possibly corrupted data", and that's very welcome. Sorry about the confusion. BTW: I looked at auditctl source and did some test, and it seems the rules can be set by using auditctl even without auditd running. So that means we don't have to do that ourselves. Best regards, Kay Hayen