Re: best way to audit in vfs

What I have currently, on disk full the auditd will notify the kernel which sets up a falg "disk_full_flag". During audit_log_start if the disk_full_flag is set the process will be queued in a wait queue until auditd or auditctl reset the disk_full_flag, I can provide more details if needed. This is the general method I am going to use to cover this CAPP requirement. Mounir Mounir Bsaibes Linux Security Tel: (512) 838-1301 Cell: (512) 762-9957 Fax: (512) 838-8858 e-mail: bsaibes(a)us.ibm.com Klaus Weidner <klaus(a)atsec.com&gt; Sent by: linux-audit-bounces(a)redhat.com 12/14/2004 03:48 PM Please respond to Linux Audit Discussion To Chris Wright <chrisw(a)osdl.org&gt; cc Linux Audit Discussion <linux-audit(a)redhat.com&gt; Subject Re: best way to audit in vfs On Tue, Dec 14, 2004 at 01:28:11PM -0800, Chris Wright wrote: filter It does, but this does not need to be instantaneous. The current plan is that auditd notifies the kernel if it detects an "out of disk space" condition, and this will tell the kernel that it shouldn't queue any additional records. When the in-kernel queue is full, any system calls that need to generate an audit record block and wait for space to become available again. (BTW, this may be an argument against generating audit records at arbitrary places in the kernel, since such waiting may not be possible there.) CAPP requires that the lossage of audit data has been minimized by the developer and clearly documented. Losing a couple of records if the disk is full and the system then crashes is acceptable from a CAPP point of view. -Klaus -- Linux-audit mailing list Linux-audit(a)redhat.com http://www.redhat.com/mailman/listinfo/linux-audit