Events lost with dispatcher
Matthew Booth
mbooth at redhat.com
Wed Apr 7 12:44:08 UTC 2010
On 31/03/10 20:56, Steve Grubb wrote:
> Wait, you are writing a dispatcher...are you boosting your priority above
> auditd? If not, you should probably increase it by at least 4. Your dispatcher
> has to stay ahead of auditd.
On a related note, has there been any more thought about loading
dispatchers into auditd itself as dynamic libraries? This would solve
this problem, and also the issue of accidentally writing a rule which is
triggered by a dispatcher, causing a DOS.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
More information about the Linux-audit
mailing list