Bug 167978 - existing processes aren't audited when audit is enabled
Summary: existing processes aren't audited when audit is enabled
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Alexander Viro
QA Contact: Brian Brock
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-09-09 22:37 UTC by Linda Knippers
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2006-08-18 12:43:52 UTC

Attachments (Terms of Use)

Description Linda Knippers 2005-09-09 22:37:48 UTC
Description of problem:

When auditing is enabled, only new processes are audited rather
than all processes.  This might not be an issue if auditing
is enabled early during boot if there aren't any untrusted 
programs running but if auditing is enabled later then processes 
that were already running at the time won't be audited.

Version-Release number of selected component (if applicable):

RHEL4 U2 beta

How reproducible:

Steps to Reproduce:
1.boot the system configured so that auditd isn't started
2.start some program that will generate some syscall activity
3.start auditd and set up a rule to audit that program's syscall activity
Actual results:
the program's syscalls aren't audited

Expected results:
the program's syscalls start being audited when auditing
is enabled

Additional info:

Comment 1 Steve Grubb 2006-08-18 12:43:52 UTC
This is documented in the NOTES section of auditd man page. This is the way the
system was designed. Therefore this is not a bug. Thanks for reporting the issue.

Note You need to log in before you can comment on or make changes to this bug.