Firstly, apologies for double-posting the issue originally. On 5 May 2016 at 13:05, shawn wilson <ag4ve...@gmail.com> wrote: > > On May 5, 2016 6:03 AM, "Tony Evans" <gnomt...@gmail.com> wrote: >> > >> I can't find why the log entries are being created (i.e. I know the >> trigger, but I can't work out why that trigger is now generating log >> entries when it wasn't doing that before I installed and removed >> auditd). >> > > I'm guessing the removal script didn't delete the audit rules which reside > in kernel memory. If I'm correct, a reboot will fix this. I'd probably > consider that a bug (if I'm right) and confirm and submit a report to the > maintainer.
That doesn't really explain what I'm seeing - I only added one rule when I first installed it, and it was nothing to do with iptables or anything near the directories it is using. Additionally, when I reinstalled auditd, the messages stop (and start again when it's removed) Can I query the kernel rules (without auditctl?) I'm happy (and comfortable) raising this as a bug (although it is 7.10, I may test and see if I can recreate on 8), but wanted to check first if there was somewhere I could dig for more information about where the trigger / rule is stored (without auditctl, since it's not installed any longer). -- Tony Evans 'A learning experience is one of those things that say, "You know that thing you just did? Don't do that."' Douglas Adams. Photos: http://www.flickr.com/photos/eightbittony/ | Blog: http://perceptionistruth.com/
