altering audit_log_start
Steve Grubb
sgrubb at redhat.com
Wed Mar 16 18:22:19 UTC 2005
On Wednesday 16 March 2005 12:58, Timothy R. Chavez wrote:
> Any opinions on the matter?
It fails for 2 reasons, out of memory and backlog limit. If you're out of
memory, there's not much you can do. If you hit the backlog limit, there's
still not much you can do.
Before the flow of control is back in the caller, it will consult
audit_failure and either panic, print a message, or ignore it. In a CAPP
setting, I think they will be running in panic mode. Any lost message is a
problem.
So, if you get a failure returned, they are either in print or ignore mode. In
either case, they have chosen to live with lost messages.
Out of curiosity...what would you do to handle the backlog limit?
-Steve
More information about the Linux-audit
mailing list