Re: Handling disk full & No Kernel resources
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday 05 January 2005 11:40, Casey Schaufler
wrote:
> the only behavior that has ever been considered
reliable is
> for the audit deamon to send the system into
> single user (or turn it off) when audit space is
> not available.
So then how do you bring it back up?
Single User.
If it shuts
down when there's no room and
you restart the system, there's still no room.
Audit will have to be turned off in single user.
Is it
expected for users to
disable auditing at boot, or boot to single user
mode and then clear disk
space?
No. Users are expected to be oblivious to audit.
The administrator does this.
Just curious what the customer support for
this is like.
Customers who enable audit usually run out of disk
so quickly that your rote description of what to do
had better be at your fingertips the day you release
the audit facility.
Out of curiosity, how do you audit the children of
xinetd? The current audit
kernel implementation does not allow you to audit
based on sid or pgid. Which
brings up the question of "do we want that?"
Solaris and Irix keep two sets of audit flags,
one for all processes, and one that is process
specific. A process with audit flags of its own
is audited according to those flags, while a process
that has no flags is audited according to the
system flags. The audit flags are, like all good
little attributes, passed on to children. Now
pay attention, because here's where it gets ugly.
inetd (or xinetd if you're living in the 21st
century) must set the audit flags for the child
process it spawns, as well as the audit user id.
xinetd invokes a child to perform an action on a
user's behalf, which means that the action must be
audited as that user is audited.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250