Events lost with dispatcher
Steve Grubb
sgrubb at redhat.com
Wed Apr 7 13:00:41 UTC 2010
On Wednesday 07 April 2010 08:44:08 am Matthew Booth wrote:
> On 31/03/10 20:56, Steve Grubb wrote:
> > Wait, you are writing a dispatcher...are you boosting your priority above
> > auditd? If not, you should probably increase it by at least 4. Your
> > dispatcher has to stay ahead of auditd.
>
> On a related note, has there been any more thought about loading
> dispatchers into auditd itself as dynamic libraries?
Its been in the official TODO file for about 7-8 months. There just isn't any
time for me to work on it right now or for a few more months.
> This would solve this problem,
This particular problem turned out to be a bad Ubuntu kernel. Everything works
as advertised when he switched to Fedora.
> and also the issue of accidentally writing a rule which is
> triggered by a dispatcher, causing a DOS.
-Steve
More information about the Linux-audit
mailing list