On Thu, 19 Sep 2019 01:50:05 +0000
"Li,Rongqing" <lirongqing(a)baidu.com> wrote:
No need knobs, auditctl can change the backlog length and wait time.
And it is helpless to change the backlog length if auditd is hung
forever, as a task can be hung forever due to disk/filesystem's
abnormal, etc
I am saying the audit default behaviors which is changed, I truly
meet the issue as description of the below commit, if we can make
change, other can avoid this issue.
I'd like to offer an opinion because this a long term issue that we
have faced and what exists is the result of having to meet certain
requirements.
If the machine boots with audit=0, which I think is default, then the
end user has no expectation of audit ever being in use. Audit events
may be discarded if the backlog fills up.
If however the machine boots with audit=1, then the user is expecting
that there will eventually be an audit daemon and they want all events.
All of them without fail. So, we have to take all measures to deliver
those events because this is required by common criteria as well as
other security standards such as PCI-DSS.
So, there are 2 paths. One which does not care about audit and one
that does. The original behavior did not meet requirements. If there is
any patch that fixes this, it would be to not have an audit backlog
wait time if audit has never been enabled. We have to be careful to
consider audit never enabled, audit disabled but previously enabled,
and audit enabled.
HTH...
-Steve