One of the CAPP requirements and probably the LSPP as well is when audit records cannot be generated, for a particular process, the process need to be halted. the current audit system, depending on the failure flag can either, 1) do nothing 2) print a kernel message or 3) issue a panic. I am thinking of adding a 4) option for the failure flag  to suspend the process. If the failure flag is set to "suspend" and the audit_log_lost function is called the process will be suspended  by issuing a sigsuspend call.
I am soliciting comments to see if I proceed with this or not.
Thanks,
Mounir


Mounir Bsaibes
Linux Security
Tel:  (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes@us.ibm.com