答复: [PATCH][RFC] audit: set wait time to zero when audit failed

-----邮件原件----- 发件人: Steve Grubb [mailto:sgrubb@redhat.com] 发送时间: 2019年9月19日 10:34 收件人: Li,Rongqing <lirongqing(a)baidu.com&gt; 抄送: Paul Moore <paul(a)paul-moore.com>; linux-audit(a)redhat.com 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed On Thu, 19 Sep 2019 01:50:05 +0000 "Li,Rongqing" <lirongqing(a)baidu.com&gt; wrote: > No need knobs, auditctl can change the backlog length and wait time. > And it is helpless to change the backlog length if auditd is hung > forever, as a task can be hung forever due to disk/filesystem's > abnormal, etc > > I am saying the audit default behaviors which is changed, I truly meet > the issue as description of the below commit, if we can make change, > other can avoid this issue. I'd like to offer an opinion because this a long term issue that we have faced and what exists is the result of having to meet certain requirements. If the machine boots with audit=0, which I think is default, then the end user has no expectation of audit ever being in use. Audit events may be discarded if the backlog fills up. If however the machine boots with audit=1, then the user is expecting that there will eventually be an audit daemon and they want all events. All of them without fail. So, we have to take all measures to deliver those events because this is required by common criteria as well as other security standards such as PCI-DSS.

So, there are 2 paths. One which does not care about audit and one that does. The original behavior did not meet requirements. If there is any patch that fixes this, it would be to not have an audit backlog wait time if audit has never been enabled. We have to be careful to consider audit never enabled, audit disabled but previously enabled, and audit enabled. HTH... -Steve