Bug 167978 - existing processes aren't audited when audit is enabled
existing processes aren't audited when audit is enabled
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Alexander Viro
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-09-09 18:37 EDT by Linda Knippers
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-18 08:43:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Linda Knippers 2005-09-09 18:37:48 EDT
Description of problem:

When auditing is enabled, only new processes are audited rather
than all processes.  This might not be an issue if auditing
is enabled early during boot if there aren't any untrusted 
programs running but if auditing is enabled later then processes 
that were already running at the time won't be audited.

Version-Release number of selected component (if applicable):

RHEL4 U2 beta

How reproducible:

Steps to Reproduce:
1.boot the system configured so that auditd isn't started
2.start some program that will generate some syscall activity
3.start auditd and set up a rule to audit that program's syscall activity
Actual results:
the program's syscalls aren't audited

Expected results:
the program's syscalls start being audited when auditing
is enabled

Additional info:
Comment 1 Steve Grubb 2006-08-18 08:43:52 EDT
This is documented in the NOTES section of auditd man page. This is the way the
system was designed. Therefore this is not a bug. Thanks for reporting the issue.

Note You need to log in before you can comment on or make changes to this bug.