I have the following in my test audit configuration on RHEL4 U5:
-a entry,always -S exit -S exit_group -S execve -S fork -S vfork -S
clone
My first observation is that I've never seen an audit record with pid=1.
It's fairly easy to reproduce this one. Log in at the console, then log
out. You'll
Renumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types
already used in the wild.
From: Miloslav Trmac [EMAIL PROTECTED]
Renumber AUDIT_TTY_[GS]ET to avoid a conflict with netlink message types
already used in the wild.
Signed-off-by: Miloslav Trmac [EMAIL PROTECTED]
---
On Wednesday 15 August 2007 10:51:21 Matthew Booth wrote:
Does this ring any bells?
Yes.
Is there some other method of process creation I'm not aware of? Is init
intentionally not audited, and if so, how do I audit it?
You must have the audit=1 boot parameter to audit any process that is