On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs <rgb@redhat.com> wrote:

On 16/02/10, Max Timchenko wrote:
> Has anyone tried that before? What would actually happen if two different
> audit clients tried to use the same interface to the audit subsystem in the
> kernel?

With recent changes upstream, the second would be denied with -EEXIST.

Before that, the older one would be starved out. And versions even
older might actually have the newer one orphaned in the very occasional
race where the older one shuts down after the second one starts.

To quote Highlander, "There Can Be Only One".

Thanks Richard and Paul for your quick responses. It's great to hear that support for

containers is being worked on.

I have read the docs on audispd(8) - is it something auditd and the other

client could use to enable multiple access? It sounds like audispd does support

multiple clients, but I would guess all clients would have to use the audispd plugin

interface instead of the usual kernel API.

What is missing from the documentation for me is the relationship between audispd

and auditd - whether audispd is an optional component of auditd that can run

concurrently, or audispd is a replacement of auditd when configured

(and then auditd cannot run on the same machine

without running into the same multi-client issues).

Yours,

--
Max