audit.20 kernel

Mon Apr 11 17:40:43 UTC 2005

On Monday 11 April 2005 12:32, David Woodhouse wrote:
> ... contains Chris' version of Steve's fix for audit_log_drain(), and my
> thinko in the auditfs patch fixed so the hook in permission() should
> work on all file systems.

I just tested this latest kernel. It seems to handle Kris's problem much 
better. I would be interested in getting feedback. Now that we are fully 
using the backlog buffer, does that solve the problem? There's 2 more fixups 
that we can make depending on what the feedback is.

On another note...I still don't see any shutdown messages:

[root at endeavor audit-rec]# /etc/rc.d/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]

>From /var/log/messages:
Apr 11 13:37:55 localhost auditd[2766]: The audit daemon is exiting.
Apr 11 13:37:55 localhost kernel: audit(1113241075.473:0): audit_pid=0 
old=2766 by auid 4325
Apr 11 13:37:56 localhost auditd[2831]: Init complete, audit pid set to: 2831

>From /var/log/audit/audit.log
type=DAEMON msg=auditd(1113241075) auditd normal halt, pid=2766, uid=0
type=DAEMON msg=auditd(1113241076) auditd start, ver=0.7, format=raw, 
pid=2831, uid=0
type=KERNEL msg=audit(1113241076.797:0): audit_enabled=1 old=1 by auid 4325
type=KERNEL msg=audit(1113241077.001:0): audit_backlog_limit=1024 old=1024 by 
auid 4325

[root at endeavor ~]# uname -a
Linux endeavor 2.6.9-5.0.3.EL.audit.20 #1 Mon Apr 11 09:31:57 EDT 2005 i686 
athlon i386 GNU/Linux

This is using the 686 kernel.

-Steve