Re: Auditd shutdown
On Tuesday 12 April 2005 10:29, Steve Grubb wrote:
I came to the conclusion that the only way to "do it
right" is to get the
credentials in the signal handler.
It just occurred to me that we could have a variable that gets stuffed when
the signal is detected as going to the audit daemon. Then the audit daemon
could request shutdown info. The kernel fills in a structure and sends it
back (similar to the request status command).
By doing it this way, we avoid the queue and backlog full. We can look for the
reply to a specific request which is easy. That same command can also switch
the audit pid to 0 after the packet was sent to user space.
-Steve