Auditd shutdown
Steve Grubb
sgrubb at redhat.com
Tue Apr 12 15:22:17 UTC 2005
On Tuesday 12 April 2005 10:29, Steve Grubb wrote:
> I came to the conclusion that the only way to "do it right" is to get the
> credentials in the signal handler.
It just occurred to me that we could have a variable that gets stuffed when
the signal is detected as going to the audit daemon. Then the audit daemon
could request shutdown info. The kernel fills in a structure and sends it
back (similar to the request status command).
By doing it this way, we avoid the queue and backlog full. We can look for the
reply to a specific request which is easy. That same command can also switch
the audit pid to 0 after the packet was sent to user space.
-Steve
More information about the Linux-audit
mailing list