Running multiple audit service clients
Max Timchenko
maxvt at bu.edu
Thu Feb 11 20:19:27 UTC 2016
On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 16/02/10, Max Timchenko wrote:
> > Has anyone tried that before? What would actually happen if two different
> > audit clients tried to use the same interface to the audit subsystem in
> the
> > kernel?
>
> With recent changes upstream, the second would be denied with -EEXIST.
>
> Before that, the older one would be starved out. And versions even
> older might actually have the newer one orphaned in the very occasional
> race where the older one shuts down after the second one starts.
>
> To quote Highlander, "There Can Be Only One".
>
Thanks Richard and Paul for your quick responses. It's great to hear that
support for
containers is being worked on.
I have read the docs on audispd(8) - is it something auditd and the other
client could use to enable multiple access? It sounds like audispd does
support
multiple clients, but I would guess all clients would have to use the
audispd plugin
interface instead of the usual kernel API.
What is missing from the documentation for me is the relationship between
audispd
and auditd - whether audispd is an optional component of auditd that can
run
concurrently, or audispd is a replacement of auditd when configured
(and then auditd cannot run on the same machine
without running into the same multi-client issues).
Yours,
--
Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160211/82a8bf3b/attachment.htm>
More information about the Linux-audit
mailing list