Handling disk full & No Kernel resources

Casey Schaufler casey at schaufler-ca.com
Wed Jan 5 23:49:31 UTC 2005 

--- Steve Grubb <sgrubb at redhat.com> wrote:

> On Wednesday 05 January 2005 11:40, Casey Schaufler
> wrote:
> >  the only behavior that has ever been considered
> reliable is
> > for the audit deamon to send the system into
> > single user (or turn it off) when audit space is
> > not available. 
> 
> So then how do you bring it back up?

Single User.

> If it shuts
> down when there's no room and 
> you restart the system, there's still no room.

Audit will have to be turned off in single user.

> Is it
> expected for users to 
> disable auditing at boot, or boot to single user
> mode and then clear disk 
> space?

No. Users are expected to be oblivious to audit.
The administrator does this.

> Just curious what the customer support for
> this is like.

Customers who enable audit usually run out of disk
so quickly that your rote description of what to do
had better be at your fingertips the day you release
the audit facility.
 
> Out of curiosity, how do you audit the children of
> xinetd? The current audit 
> kernel implementation does not allow you to audit
> based on sid or pgid. Which 
> brings up the question of "do we want that?"

Solaris and Irix keep two sets of audit flags,
one for all processes, and one that is process
specific. A process with audit flags of its own
is audited according to those flags, while a process
that has no flags is audited according to the
system flags. The audit flags are, like all good
little attributes, passed on to children. Now
pay attention, because here's where it gets ugly.
inetd (or xinetd if you're living in the 21st
century) must set the audit flags for the child
process it spawns, as well as the audit user id.
xinetd invokes a child to perform an action on a
user's behalf, which means that the action must be
audited as that user is audited.


=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 
http://info.mail.yahoo.com/mail_250

More information about the Linux-audit mailing list