Description of problem: When auditing is enabled, only new processes are audited rather than all processes. This might not be an issue if auditing is enabled early during boot if there aren't any untrusted programs running but if auditing is enabled later then processes that were already running at the time won't be audited. Version-Release number of selected component (if applicable): RHEL4 U2 beta How reproducible: Steps to Reproduce: 1.boot the system configured so that auditd isn't started 2.start some program that will generate some syscall activity 3.start auditd and set up a rule to audit that program's syscall activity Actual results: the program's syscalls aren't audited Expected results: the program's syscalls start being audited when auditing is enabled Additional info:
This is documented in the NOTES section of auditd man page. This is the way the system was designed. Therefore this is not a bug. Thanks for reporting the issue.