Auditd shutdown
David Woodhouse
dwmw2 at infradead.org
Tue Apr 12 14:56:04 UTC 2005
On Tue, 2005-04-12 at 10:29 -0400, Steve Grubb wrote:
> When I get the term signal, I would need to wait for the event to be logged to
> disk. So that means I have to inspect each packet and wait until the shutdown
> message comes through. But what if the backlog was full when that event would
> have been enqueued?
What's wrong with setting the audit_pid to zero to prevent further
messages being queued, and then draining the netlink queue?
--
dwmw2
More information about the Linux-audit
mailing list