167978 – existing processes aren't audited when audit is enabled

Bug 167978 - existing processes aren't audited when audit is enabled

Summary: existing processes aren't audited when audit is enabled

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Alexander Viro
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-09-09 22:37 UTC by Linda Knippers
Modified:	2007-11-30 22:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-08-18 12:43:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Linda Knippers 2005-09-09 22:37:48 UTC

Description of problem:

When auditing is enabled, only new processes are audited rather
than all processes.  This might not be an issue if auditing
is enabled early during boot if there aren't any untrusted 
programs running but if auditing is enabled later then processes 
that were already running at the time won't be audited.

Version-Release number of selected component (if applicable):

RHEL4 U2 beta

How reproducible:


Steps to Reproduce:
1.boot the system configured so that auditd isn't started
2.start some program that will generate some syscall activity
3.start auditd and set up a rule to audit that program's syscall activity
  
Actual results:
the program's syscalls aren't audited

Expected results:
the program's syscalls start being audited when auditing
is enabled

Additional info:

Comment 1 Steve Grubb 2006-08-18 12:43:52 UTC

This is documented in the NOTES section of auditd man page. This is the way the
system was designed. Therefore this is not a bug. Thanks for reporting the issue.

Note You need to log in before you can comment on or make changes to this bug.