Re: Running multiple audit service clients

On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > On 16/02/10, Max Timchenko wrote: > > Has anyone tried that before? What would actually happen if two different > > audit clients tried to use the same interface to the audit subsystem in > the > > kernel? > > With recent changes upstream, the second would be denied with -EEXIST. > > Before that, the older one would be starved out. And versions even > older might actually have the newer one orphaned in the very occasional > race where the older one shuts down after the second one starts. > > To quote Highlander, "There Can Be Only One". Thanks Richard and Paul for your quick responses. It's great to hear that support for containers is being worked on. I have read the docs on audispd(8) - is it something auditd and the other client could use to enable multiple access? It sounds like audispd does support multiple clients, but I would guess all clients would have to use the audispd plugin interface instead of the usual kernel API. What is missing from the documentation for me is the relationship between audispd and auditd - whether audispd is an optional component of auditd that can run concurrently, or audispd is a replacement of auditd when configured (and then auditd cannot run on the same machine without running into the same multi-client issues).

Yours, -- Max