multipart messages & delivery guarantees
Steve Grubb
sgrubb at redhat.com
Mon Feb 23 18:48:49 UTC 2015
On Sun, 22 Feb 2015 19:15:07 -0800
"Hassan Sultan" <hsultan at thefroid.net> wrote:
> Some events, such as execve or socket-related syscalls generate more
> than one message, which I'll separate as the "main" message, and then
> the 'sub' messages.
>
> Does the audit system guarantee in any way that user-mode will
> receive either no message, or all messages for a given event ?
If a syscall cannot be audited, the syscall has to fail.
> I'm curious to know if for example I could get an execve syscall
> message, but no cwd message, for example in case of low-memory
> condition.
I suppose it depends on where in the processing an error occurs. Some
failure modes if selected cause a system panic. You'll probably want to
look through the kernel source code to be sure.
-Steve
More information about the Linux-audit
mailing list