audit audtid's syscall?
Steve Grubb
sgrubb at redhat.com
Thu Feb 3 13:50:38 UTC 2005
On Thursday 03 February 2005 08:29, Junji Kanemaru wrote:
> I wonder if it is needed to audit auditd's syscalls.
This is configurable by the auditctl rules. If the system admin wants it, he
can get it. If not, he can add a rule not to log it.
> For example if I want to audit like "write,always -S all" then auditd
> writes log and it causes another write call and it causes audit to log and
> it causes auditd writes log and so on...
I think this is expected.
> I briefly looked into kernel audit code but there's no check(I could be
> wrong). In some extreme situation it will cause kernel panic in kernel
> audit code 'cuz no memory. Try "exit,always -S all".
I think Chris added a patch that helps a little with out of memory conditions.
There is also other audit subsystem control parameters to let you limit the
rate at which packets are sent and how many buffers it should setup.
> So, I'd like to suggest that 1)we should have some option to disable
> audit for auditd's pid
auditctl -a entry,never -S all -F pid=XXXX
This rule should be at the top of the list. I believe they are "executed" from
top to bottom like iptables does.
> 2)add option to use netlink_broadcast for kernel
> audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
> causes syslog write.
I don't want the audit log polluted with kernel error messages. I think they
belong in syslog.
-Steve
More information about the Linux-audit
mailing list