Auditd shutdown

[David Woodhouse]

On Tue, 2005-04-12 at 10:29 -0400, Steve Grubb wrote:
> When I get the term signal, I would need to wait for the event to be logged to 
> disk. So that means I have to inspect each packet and wait until the shutdown 
> message comes through. But what if the backlog was full when that event would 
> have been enqueued? 

What's wrong with setting the audit_pid to zero to prevent further
messages being queued, and then draining the netlink queue? 

-- 
dwmw2