Another question - audit_lost
Steve Grubb
sgrubb at redhat.com
Tue Feb 22 22:04:52 UTC 2005
On Tuesday 22 February 2005 15:46, Erich Schubert wrote:
> it seems that "ps" is very good at generating too many audit events.
> This could undermine the usefulness seriously - when I can just do a
> "while true; do ps > /dev/null; done" in one shell to overload the
> audit system, then hope that my real actions get dropped.
Yes. I tried your setup and could not get any netlink socket busy messages
while I had free disk space. I guess its hardware specific.
BUT, I did run into some items...
1) low disk space notification did not seem to work
2) it still tried to log even with disk full
3) netlink busy soon followed disk full
4) The system became unstable - first slow, then heavy disk swapping, then
unresponsive
5) had to hit reset button
6) could not get back into system without rescue disk.
Not very good.
This points to a couple issues. 1) I need to look at userspace and see what's
up with disk space detection. 2) The kernel has a serious problem when
netlink socket busy scrolls across the screen for a while. I was using the
kernel-2.6.9-5.EL.audit.6 from David's yum repo.
-Steve
More information about the Linux-audit
mailing list