Re: Running multiple audit service clients
On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 16/02/10, Max Timchenko wrote:
> Has anyone tried that before? What would actually happen if two different
> audit clients tried to use the same interface to the audit subsystem in
the
> kernel?
With recent changes upstream, the second would be denied with -EEXIST.
Before that, the older one would be starved out. And versions even
older might actually have the newer one orphaned in the very occasional
race where the older one shuts down after the second one starts.
To quote Highlander, "There Can Be Only One".
Thanks Richard and Paul for your quick responses. It's great to hear that
support for
containers is being worked on.
I have read the docs on audispd(8) - is it something auditd and the other
client could use to enable multiple access? It sounds like audispd does
support
multiple clients, but I would guess all clients would have to use the
audispd plugin
interface instead of the usual kernel API.
What is missing from the documentation for me is the relationship between
audispd
and auditd - whether audispd is an optional component of auditd that can
run
concurrently, or audispd is a replacement of auditd when configured
(and then auditd cannot run on the same machine
without running into the same multi-client issues).
Yours,
--
Max
Attachments:
- attachment.html (text/html — 2.2 KB)