altering audit_log_start
Timothy R. Chavez
tinytim at us.ibm.com
Wed Mar 16 18:38:16 UTC 2005
On Wednesday 16 March 2005 12:22 pm, Steve Grubb wrote:
> On Wednesday 16 March 2005 12:58, Timothy R. Chavez wrote:
> > Any opinions on the matter?
>
> It fails for 2 reasons, out of memory and backlog limit. If you're out of
> memory, there's not much you can do. If you hit the backlog limit, there's
> still not much you can do.
You can propigate the -ENOMEM message To me, that's the correct thing to do.
I think this comes down to "What do you consider good error handling?" When
you can fail out of a function for more then one reason, I think that the
caller is owed an explanation in the form of an errno regardless of whether
or not we're able to recover from the failure.
>
> Before the flow of control is back in the caller, it will consult
> audit_failure and either panic, print a message, or ignore it. In a CAPP
> setting, I think they will be running in panic mode. Any lost message is a
> problem.
Yes, I suppose this is what's happening. So I guess it doesn't matter.
>
> So, if you get a failure returned, they are either in print or ignore mode.
> In either case, they have chosen to live with lost messages.
>
> Out of curiosity...what would you do to handle the backlog limit?
Not sure. I haven't really given it any consideration. I suppose I'd pass an
-EAGAIN, sleep, and try again.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
--
-tim
More information about the Linux-audit
mailing list