Possible performance bug
Linda Knippers
linda.knippers at hp.com
Fri Sep 9 21:09:54 UTC 2005
> The only problem I see is when audit is re-enabled, we need a way to
> start getting the TIF_SYSCALL_AUDIT flag set again for already
> running processes. For example, suppose apache was of interest and
> audit was disabled. The above code would remove the flag. Then when
> audit is re-enabled, we need to set the flag again. I'm looking for a
> low impact way of doing this. Still thinking.
Does the problem also exist when audit is first enabled? Amy and I
were talking earlier and it seemed to be the case that when audit is
enabled, only new processes get audited so it would be a general
problem any time a system is booted without audit running, not
just when audit is re-enabled. Do we have that right?
-- ljk
More information about the Linux-audit
mailing list