audit audtid's syscall?

Thursday, 3 February 2005

I wonder if it is needed to audit auditd's syscalls. For example if I
want to
audit like "write,always -S all" then auditd writes log and it causes
another write call and it causes audit to log and it causes auditd writes
log and so on... I briefly looked into kernel audit code but there's no
check(I could be wrong). In some extreme situation it will cause
kernel panic in kernel audit code 'cuz no memory. Try "exit,always -S all".
So, I'd like to suggest that 1)we should have some option to disable
audit for auditd's pid 2)add option to use netlink_broadcast for kernel
audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
causes syslog write. Then auditd listens the broadcast channel to detect
error.
Please let me know if any problems. If this is acceptable then I'm going to
do it.

Thanks

-- 
Junji Kanemaru
Linuon Inc.
Tokyo Japan

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

audit audtid's syscall?