Crash on Audit Failure
Steve Grubb
sgrubb at redhat.com
Wed Jun 13 20:22:20 UTC 2007
On Wednesday 13 June 2007 11:46:34 Paul Whitney wrote:
> Can someone please tell me if the audit flag option "-f" is set to 2 if the
> system will shutdown, freeze or provide some warning that auditing has
> stopped?
The -f 2 option controls how the *kernel* will react when it meets a failure
condition of some kind. The audit daemon itself takes care of problems like
being out of disk space. You can configure it to warn you that its getting
low on disk space with the space_left_action and admin_space_left_action.
What to do when completely out of disk space is set by the disk_full_action.
This is in the auditd.conf man page along with other tips in the NOTES
section.
> I am trying to get RHEL 4 U4 certified and am having to prove that the
> system will "crash" once audit partition is full and auditing stops.
It will. This was tested for CAPP.
-Steve
More information about the Linux-audit
mailing list