Re: Handling disk full & No Kernel resources
On Wednesday 05 January 2005 12:10, Valdis.Kletnieks(a)vt.edu wrote:
(I'm assuming that most sane auditors would have a cow if they
found that
the audit system didn't record things like "audit file truncated/wrapped"
and similar events).
The audit daemon can't wrap files.
Probably some hand-waving needs to happen, figuring out how many
audit
records we generate for various methods of clearing the problem, and
actually send the AUDIT_SUSPEND when there's still enough space in the
current log to write the records.
You should be able to do this. There's a config parameter space_left_action
which lets you tell it what you want it to do.
We may also need to pre-allocate disk space for the logfiles
(with 'dd if=/dev/zero count=N bs=4k' or similar, because otherwise
we can still deadlock if we're logging to /var and somebody else
snarfs up that last 4K block of free disk after we've send
AUDIT_SUSPEND but before we actually do something that generates
the records....
The log file descriptor is opened in the append mode as a safety precaution. I
would recommend that anyone this paranoid should log to a partition set aside
just for audit logs.
-Steve Grubb