Re: auditd restart atomic?
On 2017-02-07 10:05, Paul Moore wrote:
On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor <pudge(a)pobox.com>
wrote:
> If I restart auditd, can it lose (not record to the logs) events that happen
> during the restart? Or is the restart (and reload of new rules) essentially
> atomic?
The kernel maintains a backlog queue of audit records when auditd is
not running and attempts to (re)send those records when auditd is
started. However, the backlog queue size is fixed and it is possible
to overflow the queue; if that happens a message will be sent to the
kernel's ring buffer (dmesg).
The default is 64, the value recommended in some documentation is 320,
but values of 8k (8192) have been recommended to have enough buffer for
events like an auditd restart.
Chris, to answer the other half of your question, with respect to rules
being reloaded atomically, it isn't. My understanding is it starts with
a -D to clear out all the rules and then adds rules in sequence from the
/etc/audit/audit.rules file, so it would be possible to miss an event
because the rule did not re-exist yet, unless you set your last rule to
-e 2 to make the ruleset immutable, in which case the restart of auditd
will have no effect on the existing immutable rule set.
paul moore
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635