From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: [PATCH] Audit: save audit_backlog_limit audit messages in case
 auditd comes back
Date: Fri, 28 Mar 2008 10:18:00 -0400
Message-ID: <47ECFE18.5090108@hp.com>
References: <1206653864.2878.19.camel@localhost.localdomain>	<200803271750.09037.sgrubb@redhat.com>
	<1206665523.2878.23.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1206665523.2878.23.camel@localhost.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Eric Paris wrote:
> On Thu, 2008-03-27 at 17:50 -0400, Steve Grubb wrote:
>> On Thursday 27 March 2008 17:37:44 Eric Paris wrote:
>>> This is useful to collect audit messages during bootup and even when auditd
>>> is stopped.  This is NOT a reliable mechanism, it does not ever call
>>> audit_panic, nor should it. 
>> Thanks Eric for working on this. We've needed this for quite a while so that 
>> we can see some of the avcs that happen during boot.
>>
>>
>>> If auditd never starts the kernel will hold by default up to 64 messages
>>> in memory forever.
>> I have an idea. Maybe this behavior could be enabled if audit=1 is passed as a 
>> boot parameter. In this way, you would know that the user intended for the 
>> audit daemon to start at some point. You could then call audit panic or 
>> whatever else is normal. If no audit=1 is passed, you could just do the 
>> printk like usual and not waste memory. Would this be helpful?
> 
> I could probably do that.  I also could conditionalize it on auditd ever
> having run.  I can't imagine it is normal for auditd to be running and
> then stopped forever....
> 
> Anyone else see value in that situation?  Only do it on boot if audit=1
> is passed?  

I think doing it on boot if audit=1 is passed is a good idea.
I'm not sure I see the value of doing something when auditd was
running but was stopped.  I think when auditd is stopped, we shouldn't
guess why or for how long it will be stopped.

-- ljk

> Does anyone actually use that command line option?
> 
> -Eric
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit