On Tuesday 19 August 2008 17:35:14 Kay Hayen wrote: > BTW: I looked at auditctl source and did some test, and it seems the rules > can be set by using auditctl even without auditd running. So that means we > don't have to do that ourselves.
Sort of. The initscripts of auditd load the rules using auditctl -R /etc/audit/audit.rules. So, you'd want to do that in your initscript if you decide to replace auditd. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
