[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-audit
Subject: Re: log messages
From: Steve Grubb <sgrubb () redhat ! com>
Date: 2007-11-02 18:39:00
Message-ID: 200711021439.00367.sgrubb () redhat ! com
[Download RAW message or body]
On Friday 02 November 2007 01:51:54 pm Bill Tangren wrote:
>
> Nov 2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500
> removed an audit rule
>
> What does this mean?
It means that the user logged in under acct 500 either deleted an audit rule
by hand or ran a script that did. On shutdown, the audit daemon init script
will delete rules unless you tell it not to in /etc/sysconfig/audit.
> Does it mean that some of my rules in
> /etc/audit.rules are improper, and the server is removing them?
Most likely the initscript is removing the rules since you said it was on a
restart.
-Steve
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic