Description of problem:
When auditing is enabled, only new processes are audited rather
than all processes. This might not be an issue if auditing
is enabled early during boot if there aren't any untrusted
programs running but if auditing is enabled later then processes
that were already running at the time won't be audited.
Version-Release number of selected component (if applicable):
RHEL4 U2 beta
Steps to Reproduce:
1.boot the system configured so that auditd isn't started
2.start some program that will generate some syscall activity
3.start auditd and set up a rule to audit that program's syscall activity
the program's syscalls aren't audited
the program's syscalls start being audited when auditing
This is documented in the NOTES section of auditd man page. This is the way the
system was designed. Therefore this is not a bug. Thanks for reporting the issue.