Handling disk full & No Kernel resources

[Steve Grubb]

On Wednesday 05 January 2005 12:10, Valdis.Kletnieks at vt.edu wrote:
> (I'm assuming that most sane auditors would have a cow if they found that
> the audit system didn't record things like "audit file truncated/wrapped"
> and similar events).

The audit daemon can't wrap files.

> Probably some hand-waving needs to happen, figuring out how many audit
> records we generate for various methods of clearing the problem, and
> actually send the AUDIT_SUSPEND when there's still enough space in the
> current log to write the records. 

You should be able to do this. There's a config parameter space_left_action 
which lets you tell it what you want it to do.

> We may also need to pre-allocate disk space for the logfiles 
> (with 'dd if=/dev/zero count=N bs=4k' or similar, because otherwise 
> we can still deadlock if we're logging to /var and somebody else 
> snarfs up that last 4K block of free disk after we've send  
> AUDIT_SUSPEND but before we actually do something that generates 
> the  records....

The log file descriptor is opened in the append mode as a safety precaution. I 
would recommend that anyone this paranoid should log to a partition set aside 
just for audit logs.

-Steve Grubb