On 2019-09-18 22:33, Steve Grubb wrote:
On Thu, 19 Sep 2019 01:50:05 +0000
"Li,Rongqing" <lirongqing(a)baidu.com> wrote:
> No need knobs, auditctl can change the backlog length and wait time.
> And it is helpless to change the backlog length if auditd is hung
> forever, as a task can be hung forever due to disk/filesystem's
> abnormal, etc
>
> I am saying the audit default behaviors which is changed, I truly
> meet the issue as description of the below commit, if we can make
> change, other can avoid this issue.
I'd like to offer an opinion because this a long term issue that we
have faced and what exists is the result of having to meet certain
requirements.
If the machine boots with audit=0, which I think is default, then the
end user has no expectation of audit ever being in use. Audit events
may be discarded if the backlog fills up.
In fact, the default is neither explicit audit=0 nor audit=1. The case
above is the default where the audit subsystem is inactive until an
audit daemon registers with the kernel. In the case of an explicit
kernel command line of audit=0, audit is disabled until reboot and a
daemon cannot register.
If however the machine boots with audit=1, then the user is
expecting
that there will eventually be an audit daemon and they want all events.
All of them without fail. So, we have to take all measures to deliver
those events because this is required by common criteria as well as
other security standards such as PCI-DSS.
So, there are 2 paths. One which does not care about audit and one
that does. The original behavior did not meet requirements. If there is
any patch that fixes this, it would be to not have an audit backlog
wait time if audit has never been enabled. We have to be careful to
consider audit never enabled, audit disabled but previously enabled,
and audit enabled.
HTH...
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635