Re: audit audtid's syscall?
On Thursday 03 February 2005 08:29, Junji Kanemaru wrote:
I wonder if it is needed to audit auditd's syscalls.
This is configurable by the auditctl rules. If the system admin wants it, he
can get it. If not, he can add a rule not to log it.
For example if I want to audit like "write,always -S all"
then auditd
writes log and it causes another write call and it causes audit to log and
it causes auditd writes log and so on...
I think this is expected.
I briefly looked into kernel audit code but there's no check(I
could be
wrong). In some extreme situation it will cause kernel panic in kernel
audit code 'cuz no memory. Try "exit,always -S all".
I think Chris added a patch that helps a little with out of memory conditions.
There is also other audit subsystem control parameters to let you limit the
rate at which packets are sent and how many buffers it should setup.
So, I'd like to suggest that 1)we should have some option to
disable
audit for auditd's pid
auditctl -a entry,never -S all -F pid=XXXX
This rule should be at the top of the list. I believe they are "executed" from
top to bottom like iptables does.
2)add option to use netlink_broadcast for kernel
audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
causes syslog write.
I don't want the audit log polluted with kernel error messages. I think they
belong in syslog.
-Steve