On Tuesday 19 August 2008 16:33:58 Kay Hayen wrote: > > Only one audit pid is allowed for security purposes. > > Damn security. I saw that patch while googling, and hoped it wasn't merged, > but seems it was.
Its been there since 2.6.6 kernel. IOW - day 1. > I don't really understand why it is helping security, if I need to kill > auditd before I can open the netlink socket. For both I need root rights. The queueing is complicated and if you have a group of processes it gets real messy. The audit queue tries hard for guaranteed delivery or take the system down if the flow is not working right. Its not like syslog or iptables logging. > There isn't any SELinux in the play, is there? SE Linux helps for MLS systems, but for CAPP, it doesn't come into play. The data flowing through the audit system could be very sensitive. Anyone needing access to the stream either needs to replace auditd, write their own dispatcher, or write a plugin to the shipped dispatcher. This way the admin knows exactly what processes have access to the data. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
