Re: Handling disk full & No Kernel resources
On Wed, 05 Jan 2005 09:09:14 CST, Mounir Bsaibes said:
Whenever the disk full (or log reached its limit) is detected the
auditd sends an AUDIT_SUSPEND message to the kernel. On receipt of
this message the kernel will set a flag "disk_full_flag". If this
disk_full_flag is set audit_log_start will call audit_suspend to
queue the process in a wait queue. Whenever the disk_full_flag is
reset all the processes in the wait queue will be rescheduled.
Actually, you need to play some *very* careful games here to prevent
a deadlock - there isn't any action that you can take to *clear* the
'disk/log full' situation that shouldn't itself generate audit records.
(I'm assuming that most sane auditors would have a cow if they found that
the audit system didn't record things like "audit file truncated/wrapped"
and similar events).
Probably some hand-waving needs to happen, figuring out how many audit
records we generate for various methods of clearing the problem, and actually
send the AUDIT_SUSPEND when there's still enough space in the current log
to write the records. We may also need to pre-allocate disk space for the
logfiles (with 'dd if=/dev/zero count=N bs=4k' or similar, because otherwise
we can still deadlock if we're logging to /var and somebody else snarfs up
that last 4K block of free disk after we've send AUDIT_SUSPEND but before
we actually do something that generates the records....
Attachments:
- attachment.sig (application/pgp-signature — 226 bytes)