Re: Handling disk full & No Kernel resources

--- Mounir Bsaibes <bsaibes(a)us.ibm.com&gt; wrote: CAPP style audit trails (then known as C2) began appearing in U2X systems in the mid 1980's. With 20 years experience under our belts, the only behavior that has ever been considered reliable is for the audit deamon to send the system into single user (or turn it off) when audit space is not available. There are too many interdependencies between processes and system operation to suspend individual processess. One example I like to use is inetd, which *must* be audited and which will cause amazing (lack of) behavior if it's suspended. Another of my favorites is the X server. Imagine trying to free up audit space with that locked up. U2X systems often offer the alternative of throwing records away if space isn't available, although CAPP really dislikes that option. Oh, that's easy. The system must die at that point, and the system must generate a core file for later analysis. You are not allowed to lose audit data. Plus, I suggest that there is no useful action you could take that could reliably be expected to not result in additional audit records. I realize that these are user unfriendly behaviors. Audit trails with gaps are like movies edited for TV, sometimes you loss critical plot elements. Linux has so much going on and depends on so many system processes that you won't get away with blocking. ===== Casey Schaufler casey(a)schaufler-ca.com __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250