handling disk full
Klaus Weidner
klaus at atsec.com
Wed Dec 15 20:33:48 UTC 2004
On Wed, Dec 15, 2004 at 10:53:33AM -0800, Chris Wright wrote:
> The best you could do is wait until syscall exit and queue up processes
> then. The action will have taken place, but the caller wouldn't get
> scheduled until it's awoken by audit system. (This doesn't help for the
> case of creating something that another process could then use, as it
> will exist, and the other process's access to object may not be an
> auditable event).
That won't do, the CAPP requirement is specifically that the action is
prevented. The approach you describe could be abused to do arbitrarily
many audit-required events by forking separate processes for them if you
don't care about them getting stuck afterwards.
-Klaus
More information about the Linux-audit
mailing list