Re: [PATCH] Audit: save audit_backlog_limit audit messages in case auditd comes back
On Thu, 2008-03-27 at 17:50 -0400, Steve Grubb wrote:
On Thursday 27 March 2008 17:37:44 Eric Paris wrote:
> This is useful to collect audit messages during bootup and even when auditd
> is stopped. This is NOT a reliable mechanism, it does not ever call
> audit_panic, nor should it.
Thanks Eric for working on this. We've needed this for quite a while so that
we can see some of the avcs that happen during boot.
> If auditd never starts the kernel will hold by default up to 64 messages
> in memory forever.
I have an idea. Maybe this behavior could be enabled if audit=1 is passed as a
boot parameter. In this way, you would know that the user intended for the
audit daemon to start at some point. You could then call audit panic or
whatever else is normal. If no audit=1 is passed, you could just do the
printk like usual and not waste memory. Would this be helpful?
I could probably do that. I also could conditionalize it on auditd ever
having run. I can't imagine it is normal for auditd to be running and
then stopped forever....
Anyone else see value in that situation? Only do it on boot if audit=1
is passed? Does anyone actually use that command line option?
-Eric