I have a security requirement to take some action (halt or reboot to single user mode) when/if auditd stops or crashes. I have set up auditd.conf to handle running out of disk space. Somehow I don't think auditd can audit itself! Can I somehow use auispd to do this? Comments/ideas appreciated.
Asked
Active
Viewed 47 times
1
-
assuming that in a running system a lot of information becomes constantly logged, how about to monitor the absence of events. I.e. if `auditd` doesn't log anymore it might not be running anymore properly. Would it be possible to implement such a watchdog process and which itself could be monitored from others? – U880D May 18 '18 at 12:55