On Tuesday, March 22, 2016 02:26:33 PM Boyce, Kevin P wrote: > With regard to this subject I don't know if it is possible, but it bothers > me when shutting down a system that you get errors (when -e 2 is enabled) > when auditd is stopping. That might be unavoidable though.
If this is a sysVinit system, then there are variables in /etc/sysconfig/auditd such as AUDITD_CLEAN_STOP that determine what the init script does. If you have a systemd based init system, then by default it does not modify rules like the sysVinit one does. It does have a ExecStopPost= variable that can be modified if you wanted to clear rules on shutdown. -Steve > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Steve Grubb Sent: Tuesday, March 22, 2016 10:06 AM > To: [email protected] > Subject: EXT :Re: audit.rules setting > > On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote: > > Does the "-e 2" have to be the last line of the audit.rules file? > > Yes. Once its sent to the kernel, the kernel rules tables are immutable. > > > Does it have to be listed prior to all of the syscalls and watches > > configured in the file? > > No. This will make it not load anything. > > -Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
