auditd stop suggestion
Steve Grubb
sgrubb at redhat.com
Tue Jun 14 21:47:05 UTC 2005
On Tuesday 14 June 2005 17:29, you wrote:
>> Right you need to add a sleep. audit records do not show up
>> instantaneously. How long it takes could be subject to debate. I'd be more
>> interested in figuring that out.
>
> I'll look into that, maybe we can find an answer, architecture, hardware &
> load dependent of course.
You would almost want to write a program that listens to the netlink socket
just as auditd does, get the time, perform an auditable event, and call
select on the netlink socket. The instant its readable, get the time. It
would be interesting to get a measure of latency.
I think if you want a sure thing, your test will look like this:
auditd start
load rules/watches
perform event
delete rules/watches
monitor backlog until its 0
auditd stop
This should always work with no sleeps.
-Steve
More information about the Linux-audit
mailing list