Re: Running multiple audit service clients

[Richard Guy Briggs <rgb@redhat.com>]

On 16/02/10, Max Timchenko wrote:
> Dear all,
> 
> I have a situation where there are two audit clients on the same machine:
> one of them is auditd, and another one is an IDS client that uses the audit
> subsystem directly. By looking at the source (
> http://lxr.free-electrons.com/source/kernel/audit.c?v=3.13#L787), I suspect
> that there might be no provision in the kernel for multiple audit subsystem
> userland daemons running in parallel (only one pid, only one netlink socket
> in the kernel). I could not find any documentation confirming or denying
> that.
> 
> Has anyone tried that before? What would actually happen if two different
> audit clients tried to use the same interface to the audit subsystem in the
> kernel?

With recent changes upstream, the second would be denied with -EEXIST.

Before that, the older one would be starved out.  And versions even
older might actually have the newer one orphaned in the very occasional
race where the older one shuts down after the second one starts.

To quote Highlander, "There Can Be Only One".

There is also planning to be done to allow one auditd per user
namespace to support containers, but we aren't there yet.

> Max

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545