On Wednesday 05 January 2005 11:40, Casey Schaufler wrote:
the only behavior that has ever been considered reliable is
for the audit deamon to send the system into
single user (or turn it off) when audit space is
not available.
So then how do you bring it back up? If it shuts down when there's no room and
you restart the system, there's still no room. Is it expected for users to
disable auditing at boot, or boot to single user mode and then clear disk
space? Just curious what the customer support for this is like.
One example I like to use is inetd, which *must* be
audited and which will cause amazing (lack of) behavior if it's
suspended.
Out of curiosity, how do you audit the children of xinetd? The current audit
kernel implementation does not allow you to audit based on sid or pgid. Which
brings up the question of "do we want that?"
-Steve Grubb