can it run when auditd run ?

[carr123]

hello, i want to monitor who access this file "/etc/passwd" when system "auditd" is running, "auditprint" cannot run,

I don't want to stop auditd daemon, because our clients donot allow us to do. the ausearch cmd can audit logs, but it is not event-notify fashon.

so, is there any way to run auditprint when auditd is running ?

[arunk-s]

I don't think it is possible to have both. See http://man7.org/linux/man-pages/man3/audit_set_pid.3.html and since auditprint registers itself as the daemon to receive events instead of handing them over to auditd, only one of them is the actual receiver of the audit events at any given point in time.

[ameihm0912]

@carr123 yeah I believe what @arunk-s mentioned is the case, basically this project is more a library to integrate in your own application (that in turn would replace auditd on the host).

auditprint is more just a little example of how it can be used.

You may want to check out this project here: https://github.com/gdestuynder/audisp-json

The works with auditd running, and will post the events as JSON to an HTTP API. You'd still need to write something for the collection side of things but it might be more suitable for your use case.