On May 5, 2016 8:10 AM, "Tony Evans" <t...@darkstorm.co.uk> wrote: > > Firstly, apologies for double-posting the issue originally. > > On 5 May 2016 at 13:05, shawn wilson <ag4ve...@gmail.com> wrote: > > > > On May 5, 2016 6:03 AM, "Tony Evans" <gnomt...@gmail.com> wrote: > >> > > > >> I can't find why the log entries are being created (i.e. I know the > >> trigger, but I can't work out why that trigger is now generating log > >> entries when it wasn't doing that before I installed and removed > >> auditd). > >> > > > > I'm guessing the removal script didn't delete the audit rules which reside > > in kernel memory. If I'm correct, a reboot will fix this. I'd probably > > consider that a bug (if I'm right) and confirm and submit a report to the > > maintainer. > > That doesn't really explain what I'm seeing - I only added one rule > when I first installed it, and it was nothing to do with iptables or > anything near the directories it is using. Additionally, when I > reinstalled auditd, the messages stop (and start again when it's > removed) >
Something weird happening with init maybe? > Can I query the kernel rules (without auditctl?) > A quick Google didn't reveal anything but I'm guessing there's at least a rule or hit counter under either proc or sys (kinda like iptables does). Could probably (idk what libs it links to off the top) just copy auditctl somewhere before uninstalling though.
