Handling disk full & No Kernel resources
Steve Grubb
sgrubb at redhat.com
Wed Jan 5 18:11:17 UTC 2005
On Wednesday 05 January 2005 11:40, Casey Schaufler wrote:
> the only behavior that has ever been considered reliable is
> for the audit deamon to send the system into
> single user (or turn it off) when audit space is
> not available.
So then how do you bring it back up? If it shuts down when there's no room and
you restart the system, there's still no room. Is it expected for users to
disable auditing at boot, or boot to single user mode and then clear disk
space? Just curious what the customer support for this is like.
> One example I like to use is inetd, which *must* be
> audited and which will cause amazing (lack of) behavior if it's
> suspended.
Out of curiosity, how do you audit the children of xinetd? The current audit
kernel implementation does not allow you to audit based on sid or pgid. Which
brings up the question of "do we want that?"
-Steve Grubb
More information about the Linux-audit
mailing list