Re: Running multiple audit service clients
On 16/02/10, Max Timchenko wrote:
Dear all,
I have a situation where there are two audit clients on the same machine:
one of them is auditd, and another one is an IDS client that uses the audit
subsystem directly. By looking at the source (
http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect
that there might be no provision in the kernel for multiple audit subsystem
userland daemons running in parallel (only one pid, only one netlink socket
in the kernel). I could not find any documentation confirming or denying
that.
Has anyone tried that before? What would actually happen if two different
audit clients tried to use the same interface to the audit subsystem in the
kernel?
With recent changes upstream, the second would be denied with -EEXIST.
Before that, the older one would be starved out. And versions even
older might actually have the newer one orphaned in the very occasional
race where the older one shuts down after the second one starts.
To quote Highlander, "There Can Be Only One".
There is also planning to be done to allow one auditd per user
namespace to support containers, but we aren't there yet.
Max
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545