Re: auditd restart atomic?
On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor <pudge(a)pobox.com> wrote:
If I restart auditd, can it lose (not record to the logs) events that
happen
during the restart? Or is the restart (and reload of new rules) essentially
atomic?
The kernel maintains a backlog queue of audit records when auditd is
not running and attempts to (re)send those records when auditd is
started. However, the backlog queue size is fixed and it is possible
to overflow the queue; if that happens a message will be sent to the
kernel's ring buffer (dmesg).
--
paul moore
www.paul-moore.com