You could construct your audit rules dynamically so that they exclude the dispatcher. You'd have to know its pid and then have a -F pid!= xxx option on your audit rules. I haven't tried that but it should work. You'd have to re-do the rules if the dispatcher was restarted so its kind of clunky.
I think the feature that LAuS had for letting trusted programs enable/disable auditing of themselves was kind of handy. -- ljk Matthew Booth wrote: > The kernel ignores auditable events from the audit daemon, but is there > an 'approved' way to achieve the same for dispatchers? The problem is > the same, in that you get an infinite loop if the dispatcher itself > performs any action which generates an audit record. > > Thanks, > > Matt -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
