Bug 167978

Summary: existing processes aren't audited when audit is enabled
Product: Red Hat Enterprise Linux 4 Reporter: Linda Knippers <linda.knippers>
Component: kernelAssignee: Alexander Viro <aviro>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: linda.knippers, sgrubb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-18 12:43:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Linda Knippers 2005-09-09 22:37:48 UTC
Description of problem:

When auditing is enabled, only new processes are audited rather
than all processes.  This might not be an issue if auditing
is enabled early during boot if there aren't any untrusted 
programs running but if auditing is enabled later then processes 
that were already running at the time won't be audited.

Version-Release number of selected component (if applicable):

RHEL4 U2 beta

How reproducible:

Steps to Reproduce:
1.boot the system configured so that auditd isn't started
2.start some program that will generate some syscall activity
3.start auditd and set up a rule to audit that program's syscall activity
Actual results:
the program's syscalls aren't audited

Expected results:
the program's syscalls start being audited when auditing
is enabled

Additional info:

Comment 1 Steve Grubb 2006-08-18 12:43:52 UTC
This is documented in the NOTES section of auditd man page. This is the way the
system was designed. Therefore this is not a bug. Thanks for reporting the issue.