From: LC Bruzenak <lenny@magitekltd.com>
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] Audit: save audit_backlog_limit audit messages in case auditd comes back
Date: Fri, 28 Mar 2008 10:50:16 -0500 [thread overview]
Message-ID: <1206719416.6600.17.camel@homeserver> (raw)
In-Reply-To: <1206665523.2878.23.camel@localhost.localdomain>
On Thu, 2008-03-27 at 20:52 -0400, Eric Paris wrote:
> On Thu, 2008-03-27 at 17:50 -0400, Steve Grubb wrote:
> > On Thursday 27 March 2008 17:37:44 Eric Paris wrote:
> > > This is useful to collect audit messages during bootup and even when auditd
> > > is stopped. This is NOT a reliable mechanism, it does not ever call
> > > audit_panic, nor should it.
> >
> > Thanks Eric for working on this. We've needed this for quite a while so that
> > we can see some of the avcs that happen during boot.
> >
> >
> > > If auditd never starts the kernel will hold by default up to 64 messages
> > > in memory forever.
> >
> > I have an idea. Maybe this behavior could be enabled if audit=1 is passed as a
> > boot parameter. In this way, you would know that the user intended for the
> > audit daemon to start at some point. You could then call audit panic or
> > whatever else is normal. If no audit=1 is passed, you could just do the
> > printk like usual and not waste memory. Would this be helpful?
>
> I could probably do that. I also could conditionalize it on auditd ever
> having run. I can't imagine it is normal for auditd to be running and
> then stopped forever....
Unless it is an IDS-like event. Or a sysadmin makes a mistake.
>
> Anyone else see value in that situation? Only do it on boot if audit=1
> is passed? Does anyone actually use that command line option?
I will start using it. Audit collected as early in the boot sequence as
possible is better.
>
> -Eric
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
prev parent reply other threads:[~2008-03-28 15:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-03-27 21:37 [PATCH] Audit: save audit_backlog_limit audit messages in case auditd comes back Eric Paris
2008-03-27 21:50 ` Steve Grubb
2008-03-28 0:52 ` Eric Paris
2008-03-28 14:18 ` Linda Knippers
2008-03-28 15:24 ` Steve Grubb
2008-03-28 15:50 ` LC Bruzenak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1206719416.6600.17.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.