On Wednesday 15 August 2007 10:51:21 Matthew Booth wrote: > Does this ring any bells?
Yes. > Is there some other method of process creation I'm not aware of? Is init > intentionally not audited, and if so, how do I audit it? You must have the audit=1 boot parameter to audit any process that is created before auditd runs. This is in the man page under NOTES. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
