From: Steve Grubb <sgrubb@redhat.com>
To: Matthew Chao <mathewchao@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: How to monitor audit/audispd killed
Date: Tue, 05 Jan 2016 12:48:39 -0500 [thread overview]
Message-ID: <2051384.UMDlMJSUJC@x2> (raw)
In-Reply-To: <CAH8ERfY43a13VT2yXMj4xqEUqAnJwFH0+bpw7rFrU3SXsSnSKQ@mail.gmail.com>
On Wednesday, January 06, 2016 12:12:54 AM Matthew Chao wrote:
> In short, my question is: my program depends on audispd to dispatch audit
> messages, for security's sake, when audispd is killed, how can I know it
> happened in time in order to restart audispd?
I think that you have to approach the problem from a different angle. As a
child of audispd, you will probably get a SIGPIPE which if unhandled will
cause termination. That said, your application can't really start audispd
because auditd needs to in order to setup the pipes. Then audispd needs to
start your plugin.
But that raises to the question of are you seeing any problems that cause
audispd to be killed? The reason I ask is that no one is reporting problems
where either auditd or audispd are terminating due to a fault.
But if you were just wanting to be careful, then you really ought to write a
small program that its whole job is to start auditd and catch SIGCHLD. When
you catch SIGCHLD, restart the audit daemon. If your watcher gets any signals
such as SIGHUP/USR1/USR2/TERM, then pass them along to auditd.
If you are on a system with systemd as the init system, it already has a
Restart= option to restart a critical service if it shutsdown. That said, an
admin can always shutdown the audit service if they want to.
Are you having problems with audispd or just trying to be careful with a
design?
Hope this helps...
-Steve
> On Tuesday, January 5, 2016, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Tuesday, January 05, 2016 06:08:54 PM Matthew Chao wrote:
> > > >"You can watch audispd, but I don't think that will help anything.
> > >
> > > my program totally depends on audispd to dispatch audit messages. I
> > > think
> > > audispd need more robust mechanisms to monitor itself killed, otherwise
> > > which inevitably leads to that audispd' plugins receive nothing but
> >
> > always
> >
> > > wait wait wait for event messages.
> > >
> > > So are there some alternative ways to monitor audispd killed in audit
> > > ver1.8 ?
> >
> > To help you, I need to know more about what the actual problem is that you
> > are
> > trying to solve. Would you like to explain the problem so we can help
> > figure
> > out how to address it?
> >
> > Thanks,
> > -Steve
prev parent reply other threads:[~2016-01-05 17:48 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-04 12:10 How to monitor audit/audispd killed Matthew Chao
2016-01-04 14:12 ` Richard Guy Briggs
2016-01-04 19:49 ` Matthew Chao
2016-01-04 14:32 ` Steve Grubb
2016-01-04 19:29 ` Matthew Chao
2016-01-04 19:43 ` Steve Grubb
2016-01-04 19:51 ` Matthew Chao
2016-01-05 10:08 ` Matthew Chao
2016-01-05 14:10 ` Steve Grubb
2016-01-05 16:12 ` Matthew Chao
2016-01-05 17:48 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2051384.UMDlMJSUJC@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=mathewchao@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).