Re: [PATCH] Audit: save audit_backlog_limit audit messages in case auditd comes back
On Thursday 27 March 2008 20:52:03 Eric Paris wrote:
On Thu, 2008-03-27 at 17:50 -0400, Steve Grubb wrote:
> On Thursday 27 March 2008 17:37:44 Eric Paris wrote:
> > If auditd never starts the kernel will hold by default up to 64
> > messages in memory forever.
>
> I have an idea. Maybe this behavior could be enabled if audit=1 is passed
> as a boot parameter. In this way, you would know that the user intended
> for the audit daemon to start at some point. You could then call audit
> panic or whatever else is normal. If no audit=1 is passed, you could just
> do the printk like usual and not waste memory. Would this be helpful?
I could probably do that. I also could conditionalize it on auditd ever
having run. I can't imagine it is normal for auditd to be running and
then stopped forever....
Could be, but if auditd stops, we normally send things go to syslog.
Anyone else see value in that situation? Only do it on boot if
audit=1
is passed? Does anyone actually use that command line option?
Yes, anyone that is serious about audit *has* to use that boot option. That is
the one thing that differentiates a casual user from a serious user of audit.
The serious user would always be expecting auditd to start at some point.
-Steve