> But even if you successfully load rules early...you need a daemon to collect > the results before the internal kernel buffer overflows and forever lose the > events. So, this means getting the audit daemon running earlier and its main > requirement is the MAC policy already be loaded and the disk system mounted > (perhaps networking running if you use remote logging).
Thanks, Steve. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
