[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Re: log messages
From:       Steve Grubb <sgrubb () redhat ! com>
Date:       2007-11-02 18:39:00
Message-ID: 200711021439.00367.sgrubb () redhat ! com
[Download RAW message or body]

On Friday 02 November 2007 01:51:54 pm Bill Tangren wrote:
>
> Nov  2 10:27:25 charon kernel: audit(1194013645.793:6808): auid=500
> removed an audit rule
>
> What does this mean?

It means that the user logged in under acct 500 either deleted an audit rule 
by hand or ran a script that did. On shutdown, the audit daemon init script 
will delete rules unless you tell it not to in /etc/sysconfig/audit.

> Does it mean that some of my rules in 
> /etc/audit.rules are improper, and the server is removing them?

Most likely the initscript is removing the rules since you said it was on a 
restart.

-Steve

[prev in list] [next in list] [prev in thread] [next in thread]