Auditd shutdown
Steve Grubb
sgrubb at redhat.com
Tue Apr 12 15:10:15 UTC 2005
On Tuesday 12 April 2005 10:56, David Woodhouse wrote:
> What's wrong with setting the audit_pid to zero to prevent further
> messages being queued, and then draining the netlink queue?
When I send the change audit pid, I am going to get an ack back. What comes
first? The ack or the potential message? Can anything actually be buffered
for read of the netlink socket when I send the change pid command? I can't
drain it before sending because it may be a never ending supply of packets.
This is also assuming that we either got the shutdown event, or we gave up
waiting for it and are shutting down anyways. If we got the message, no big
deal - we don't even need to drain the queue. If we are in timeout, draining
the queue still may not give us the message that has the credentials. There's
no guarantee that its there. What if the backlog was full?
Also keep in mind that we have to do this within 5 seconds or the initscripts
will get mad and send SIGKILL. We failed at that point.
-Steve
More information about the Linux-audit
mailing list