Re: altering audit_log_start
On Wednesday 16 March 2005 12:22 pm, Steve Grubb wrote:
On Wednesday 16 March 2005 12:58, Timothy R. Chavez wrote:
> Any opinions on the matter?
It fails for 2 reasons, out of memory and backlog limit. If you're out of
memory, there's not much you can do. If you hit the backlog limit, there's
still not much you can do.
You can propigate the -ENOMEM message To me, that's the correct thing to do.
I think this comes down to "What do you consider good error handling?" When
you can fail out of a function for more then one reason, I think that the
caller is owed an explanation in the form of an errno regardless of whether
or not we're able to recover from the failure.
Before the flow of control is back in the caller, it will consult
audit_failure and either panic, print a message, or ignore it. In a CAPP
setting, I think they will be running in panic mode. Any lost message is a
problem.
Yes, I suppose this is what's happening. So I guess it doesn't matter.
So, if you get a failure returned, they are either in print or ignore mode.
In either case, they have chosen to live with lost messages.
Out of curiosity...what would you do to handle the backlog limit?
Not sure. I haven't really given it any consideration. I suppose I'd pass an
-EAGAIN, sleep, and try again.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
--
-tim